OutpayDocs
API reference

Errors

The error envelope and error codes for the public v1 API.

Error envelope

{
  "error": {
    "code": "INVALID_API_KEY",
    "message": "Provide a valid API key in the Authorization header.",
    "details": [],
    "request_id": "req_01JZ8QWA6P9K1Q0D6XQYY2FZQ7"
  }
}
FieldTypeDescription
codestringStable, machine-readable error code. Always present.
messagestringHuman-readable explanation.
detailsarrayField-level validation issues. Always present, even when empty.
request_idstringCorrelates the request for support. Always present, and also returned in the x-request-id response header.

A second error envelope exists

Dashboard, admin, and internal routes (everything outside /api/v1/*) use a different, legacy JSON error shape without a request_id field in the body. Do not build a single client against both surfaces without branching on which base path you called — see API overview.

Error codes

HTTPCodeMeaningAction
400VALIDATION_FAILEDThe request body, query string, or path parameter failed schema validation, including malformed JSON.Fix the field(s) listed in details and resubmit.
400INVALID_IDEMPOTENCY_KEYIdempotency-Key is empty, over 255 characters, or contains a disallowed character.Use 1–255 characters of letters, digits, :, _, -.
401INVALID_API_KEYThe key is missing, malformed, revoked, or does not match.Check the key value; rotate if it was revoked.
403FORBIDDENThe key lacks the operation's required scope.Issue a new key with the correct scope — scopes cannot be edited after creation.
404CHECKOUT_NOT_FOUNDNo checkout matches the given ID for the authenticated merchant.Verify the ID and that it belongs to this merchant.
409EXPIRED_IDEMPOTENCY_KEYThe Idempotency-Key was used previously, but its 24-hour replay record has expired.Decide whether a new checkout is still appropriate, then retry with a new key.
409IDEMPOTENCY_KEY_REUSEDThe same Idempotency-Key was sent with a materially different request body.Investigate before retrying; use a new key only for a genuinely new request.
409MERCHANT_NOT_ACTIVEThe merchant account is deactivated.Reactivate the store from the Dashboard, or contact support.
429CHECKOUT_CREATE_RATE_LIMITEDExceeded 60 checkout-creation requests/minute for this merchant.Respect the Retry-After header.
429CHECKOUT_STATUS_RATE_LIMITEDExceeded 300 checkout-read requests/minute for this merchant.Respect Retry-After; poll no more often than the hosted checkout page's own 5-second interval.
429PAYMENTS_LIST_RATE_LIMITEDExceeded 120 payment-list requests/minute for this merchant.Respect Retry-After.
500CHECKOUT_CREATE_FAILEDUnexpected server-side failure while creating a checkout.Retry only with the same Idempotency-Key.
500CHECKOUT_READ_FAILEDUnexpected server-side failure while reading a checkout.Safe to retry; reads carry no idempotency risk.
500PAYMENTS_READ_FAILEDUnexpected server-side failure while listing payments.Safe to retry.

Keep request IDs

Log request_id alongside your order ID and checkout ID. It is the fastest path to support and incident correlation, and it is present on every response — success or error — via the x-request-id header.

All codes above are stable during Beta but not guaranteed to survive to v1.0 unchanged. Match on error.code, never on error.message, since messages are meant for humans and may be reworded without notice.

  • Idempotency — the full behaviour behind the 409 conflict codes.
  • Authentication — avoiding 401/403 responses.
  • Support — what to include when escalating an error.

On this page