Errors
Every REST endpoint across both apps returns the same JSON error body for 4xx and 5xx responses. Implementing it consistently matters: the error message is what Alderstone surfaces to users when something fails, and the code is how you (and support) diagnose it.
Error body
Every error response includes schemaVersion, error, and code. Validation failures may add details.
- Name
schemaVersion- Type
- string
- Description
Always
"1".
- Name
error- Type
- string
- Description
Human-readable message.
- Name
code- Type
- string
- Description
Machine-readable code (see table below).
- Name
details- Type
- object
- Description
Optional field-level validation errors for 422.
Response
{
"schemaVersion": "1",
"error": "Human-readable message",
"code": "VALIDATION_FAILED",
"details": {
"fieldErrors": { "customerId": ["Required"] }
}
}Status codes
- Name
401- Description
UNAUTHORIZED: missing or invalidAuthorization: Bearerheader.
- Name
403- Description
FORBIDDEN: token valid but not allowed for this operation.
- Name
400- Description
INVALID_JSONorBAD_REQUEST: malformed body or unsupported input.
- Name
422- Description
VALIDATION_FAILED: schema validation failed; seedetails.
- Name
500- Description
INTERNAL_ERROR: unexpected server failure on the ERP side.
Error codes
- Name
UNAUTHORIZED- Type
- 401
- Description
Require
Authorization: Bearer {token}on every request.
- Name
FORBIDDEN- Type
- 403
- Description
Token is recognized but lacks permission.
- Name
INVALID_JSON- Type
- 400
- Description
Request body is not valid JSON.
- Name
VALIDATION_FAILED- Type
- 422
- Description
Body failed contract validation; include
detailswhen possible.
- Name
BAD_REQUEST- Type
- 400
- Description
Well-formed JSON that cannot be processed (e.g. Unknown customer).
- Name
INTERNAL_ERROR- Type
- 500
- Description
Unhandled exception; log server-side; return a safe message to the client.
Practical guidance
- Write
errormessages for the operator who will read them in the Alderstone UI, e.g.SKU WIDGET-42 not found in ERP catalogueinstead ofnot found. - Don't swallow upstream ERP failures into empty result arrays; return a 500 with
INTERNAL_ERROR(or 400BAD_REQUESTwhen the input caused it) so failures are visible instead of looking like missing data. - Authentication failures are covered in detail in Authentication; validation behaviour can be tested in the Developer Sandbox, which returns the same 422 shape as production.