Errors

The API reports failures in three ways. Which one you get depends on where the request failed.

Authentication errors

A missing, expired, or invalid token returns HTTP 401 with an error body:

{
  "errors": [
    { "message": "Unauthorized", "extensions": { "code": "UNAUTHORIZED" } }
  ]
}

Fix: check that the Authorization header is present and the token is current. See Authentication.

GraphQL errors

If the request is authenticated but the query itself is wrong, for example a misspelled field or a missing required argument, the API returns HTTP 200 with a top-level errors array and no data:

{
  "errors": [
    {
      "message": "Field 'notAField' doesn't exist on type 'Organization'",
      "locations": [{ "line": 1, "column": 20 }],
      "path": ["query", "organization", "notAField"],
      "extensions": {
        "code": "undefinedField",
        "typeName": "Organization",
        "fieldName": "notAField"
      }
    }
  ]
}

These errors are usually a bug in the request. Fix the query and resend.

Mutation errors

Mutations handle expected failures differently. Instead of a top-level error, the failure is returned inside the mutation's own errors field, and data is present:

Every mutation in these docs has an errors field. Always request it and always check it. An empty list means success.

This design also protects against enumeration. A record that does not exist and a record you are not allowed to see both return the same message, for example Sbom not found.

Common messages

Checking errors in a script

With jq, check the top-level errors key before using data: