API conventions
Prove Platform APIs follow consistent API conventions. The API responses follow these conventions:- Optional fields that have no values aren’t returned.
- JSON maps that have no values aren’t returned.
- JSON arrays that have no values aren’t returned.
HTTP status codes
The following table has a list of the HTTP status codes returned by the Prove services:| Code | Definition | Description |
|---|---|---|
| 200 | OK | The request completed successfully. |
| 400 | Bad Request | There was a problem with the submitted request. |
| 401 | Unauthorized | The request lacks valid authentication credentials for the target resource. Check for no missing chars or whitespace. Validate that you are calling the correct environment such as US or EU and Production or Sandbox. |
| 403 | Forbidden | The client doesn’t have permission to access the target resource. |
| 404 | Not Found | The server didn’t find anything matching the Request-URI. |
| 429 | Too Many Requests | The rate limit of 25 requests per second has been exceeded. Wait for the time specified in the Retry-After header before making additional requests. |
| 500 | Internal Server Error | The server encountered an unexpected condition preventing it from fulfilling the request. Retry the request, and if the problem persists, contact Prove support. |
API error codes
When a Prove API encounters a request error, the JSON response object includes acode field and a message field to give further context.
This table has a list of the API error codes:
| Error Code | Description | Resolution Path |
|---|---|---|
| 8000 | Internal Error | The server encountered an unexpected condition preventing it from fulfilling the request. Retry the request, and if the problem persists, contact Prove support. |
| 8001 | Malformed Request | Ensure the request is valid JSON, is under 4 KB in size, and correct any invalid parameters. The API specifies invalid parameters and includes the reason in the message field. |
| 8002 | Unauthorized Request | The request lacks valid authentication credentials for the target resource. Ensure you used the correct credentials. |
| 8003 | Step Called Out of Order | The request called an endpoint out of order. Check the next field for the proper endpoint to call. |
| 8007 | Sandbox User Not Found | Only use test user information as input for requests unless otherwise specified in the test cases. |
| 8008 | Invalid Correlation ID | Check the Correlation ID for errors. The Correlation ID is unique per session. |
| 8009 | Sandbox Test User Access Denied | Your current product credentials can’t access the test user. Ensure you’re using test users with the matching Prove solution credentials. |
| 8010 | Unauthorized for Country | This can mean one of two things:
|
| 8011 | Identity Not Found | No identity exists for the provided Identity ID. |
Rate limiting
Prove APIs enforce a rate limit of 25 requests per second to ensure fair resource usage and system stability. When you exceed this limit, the API returns an HTTP 429 status code with the following headers:| Header | Description |
|---|---|
X-RateLimit-Limit | The maximum number of requests allowed per second |
X-RateLimit-Remaining | The number of requests remaining in the current time window |
X-RateLimit-Reset | The time, in Unix epoch seconds, when the rate limit resets |
Retry-After | The number of seconds to wait before making another request |
Example rate limit response
Best practices for handling rate limits
- Check the
X-RateLimit-Remainingheader to track your usage. - Implement exponential backoff when you receive a 429 response.
- Respect the
Retry-Afterheader value before retrying requests. - Distribute requests evenly over time rather than sending bursts.
Retry behavior after errors
When an HTTP status code other than 200 returns, you can fix and retry the request. If you retry a request that resulted in 200, you receive an HTTP 403 code with eitherstep called out of order or correlation ID is expired or invalid. Prove prevents retries to ensure proper behavior and mitigate issues with replay attacks.