Skip to main content

Errors

This page enumerates all errors that might be received while using the Turnkey API.

Turnkey Error

Since Turnkey's API is a remote procedure call (RPC) API -- Turnkey error codes (errors received starting with Turnkey error), correspond directly with GRPC error codes.

Example

Turnkey error 3: organization mismatch: request is targeting organization ("USER SUB ORG"), but voters are in organization ("OUR MAIN ORG")

GRPC Status Codes Reference

CodeNumberDescription
OK0Not an error; returned on success.
CANCELLED1The operation was cancelled, typically by the caller.
UNKNOWN2Unknown error. For example, this error may be returned when a Status value received from another address space belongs to an error space that is not known in this address space. Also errors raised by APIs that do not return enough error information may be converted to this error.
INVALID_ARGUMENT3The client specified an invalid argument. Note that this differs from FAILED_PRECONDITION. INVALID_ARGUMENT indicates arguments that are problematic regardless of the state of the system (e.g., a malformed file name).
DEADLINE_EXCEEDED4The deadline expired before the operation could complete. For operations that change the state of the system, this error may be returned even if the operation has completed successfully. For example, a successful response from a server could have been delayed long
NOT_FOUND5Some requested entity (e.g., file or directory) was not found. Note to server developers: if a request is denied for an entire class of users, such as gradual feature rollout or undocumented allowlist, NOT_FOUND may be used. If a request is denied for some users within a class of users, such as user-based access control, PERMISSION_DENIED must be used.
ALREADY_EXISTS6The entity that a client attempted to create (e.g., file or directory) already exists.
PERMISSION_DENIED7The caller does not have permission to execute the specified operation. PERMISSION_DENIED must not be used for rejections caused by exhausting some resource (use RESOURCE_EXHAUSTED instead for those errors). PERMISSION_DENIED must not be used if the caller can not be identified (use UNAUTHENTICATED instead for those errors). This error code does not imply the request is valid or the requested entity exists or satisfies other pre-conditions.
RESOURCE_EXHAUSTED8Some resource has been exhausted, perhaps a per-user quota, or perhaps the entire file system is out of space.
FAILED_PRECONDITION9The operation was rejected because the system is not in a state required for the operation's execution. For example, the directory to be deleted is non-empty, an rmdir operation is applied to a non-directory, etc. Service implementors can use the following guidelines to decide between FAILED_PRECONDITION, ABORTED, and UNAVAILABLE: (a) Use UNAVAILABLE if the client can retry just the failing call. (b) Use ABORTED if the client should retry at a higher level (e.g., when a client-specified test-and-set fails, indicating the client should restart a read-modify-write sequence). (c) Use FAILED_PRECONDITION if the client should not retry until the system state has been explicitly fixed. E.g., if an "rmdir" fails because the directory is non-empty, FAILED_PRECONDITION should be returned since the client should not retry unless the files are deleted from the directory.
ABORTED10The operation was aborted, typically due to a concurrency issue such as a sequencer check failure or transaction abort. See the guidelines above for deciding between FAILED_PRECONDITION, ABORTED, and UNAVAILABLE.
OUT_OF_RANGE11The operation was attempted past the valid range. E.g., seeking or reading past end-of-file. Unlike INVALID_ARGUMENT, this error indicates a problem that may be fixed if the system state changes. For example, a 32-bit file system will generate INVALID_ARGUMENT if asked to read at an offset that is not in the range [0,2^32-1], but it will generate OUT_OF_RANGE if asked to read from an offset past the current file size. There is a fair bit of overlap between FAILED_PRECONDITION and OUT_OF_RANGE. We recommend using OUT_OF_RANGE (the more specific error) when it applies so that callers who are iterating through a space can easily look for an OUT_OF_RANGE error to detect when they are done.
UNIMPLEMENTED12The operation is not implemented or is not supported/enabled in this service.
INTERNAL13Internal errors. This means that some invariants expected by the underlying system have been broken. This error code is reserved for serious errors.
UNAVAILABLE14The service is currently unavailable. This is most likely a transient condition, which can be corrected by retrying with a backoff. Note that it is not always safe to retry non-idempotent operations.
DATA_LOSS15Unrecoverable data loss or corruption.
UNAUTHENTICATED16The request does not have valid authentication credentials for the operation.

Source: https://grpc.io/docs/guides/status-codes/

All Error Codes for Actions

The below table enumerates all errors across different actions that can be taken using the API. It contains both the GRPC codes as well as the HTTP codes corresponding with each error as well as the displayed error message.

ActionGRPC CodeHTTP CodeReason
AuthenticationNotFound404no organization found with the given ID
AuthenticationInternal500internal error
AuthenticationInternal500failed to read organization parent ID
AuthenticationInternal500failed to execute get sub-organization by credential ID query
AuthenticationInternal500failed to execute get sub-organization by public key query
AuthenticationInternal500cannot find user for public key
AuthenticationInvalidArgument400malformed organization ID provided
AuthenticationInvalidArgument400bad request body
AuthenticationPermissionDenied403api operations disabled
AuthenticationResourceExhausted403this organization cannot execute activities because it is over its allotted quota. Please reach out to the Turnkey team (help@turnkey.com) for more information.
AuthenticationResourceExhausted403this sub-organization cannot execute activities because its parent is over its allotted quota. Please reach out to the Turnkey team (help@turnkey.com) for more information.
AuthenticationPermissionDenied403request not authorized
AuthenticationUnauthenticated401no valid authentication signature found for request
AuthenticationUnauthenticated401could not find public key in organization
AuthenticationUnauthenticated401failed while looking up public key in parent organization
AuthenticationUnauthenticated401could not find public key in organization or its parent organization
AuthenticationUnauthenticated401could not verify WebAuthN signature
AuthenticationUnauthenticated401credential ID could not be found in organization or its parent organization
AuthenticationUnauthenticated401public key could not be found in organization or its parent organization
AuthenticationUnauthenticated401more than one suborg associated with a credential ID
AuthenticationUnauthenticated401more than one suborg associated with a public key
AuthenticationUnauthenticated401cannot extract api key signature
AuthenticationUnauthenticated401could not verify api key signature
AuthenticationUnauthenticated401request does not have a valid authentication header
AuthenticationUnauthenticated401expired api key
AuthenticationUnauthenticated401malformed activity stamp
AuthenticationUnauthenticated401could not extract webauthn stamp
AuthenticationUnauthenticated401could not extract api key stamp
AuthenticationUnauthenticated401cannot authenticate public API activity request without a stamp (X-Stamp/X-Stamp-Webauthn header)
AuthenticationNotFound404webauthn authenticator not found in organization
AuthenticationNotFound404webauthn authenticator not found in organization or parent organization
AuthenticationInternal500failed to load webauthn authenticator
SigningInvalidArgument400invalid payload encoding
SigningInvalidArgument400invalid hash function
SigningInternal500*transaction type not implemented
Email AuthInvalidArgument400invalid magic link template
Email AuthInvalidArgument400failed to get email template contents
Email AuthInvalidArgument400failed to unmarshal template variables
Email AuthInternal500error while sending auth email
Email AuthInternal500failed to find user by email
List UsersPermissionDenied403authentication failed
List UsersInvalidArgument400*failed to load organizations
List UsersInternal500failed users lookup
PoliciesInvalidArgument400policy label must be unique
PoliciesInvalidArgument400invalid policy consensus
PoliciesInvalidArgument400invalid policy condition
Update Root QuorumInvalidArgument400quorum threshold must be non-zero integer
Update Root QuorumInvalidArgument400quorum threshold cannot be less than quorum user count
Update Root QuorumInvalidArgument400quorum users missing
Update Root QuorumInvalidArgument400quorum missing
Create Sub OrgInvalidArgument400invalid api key expiration
Create Sub OrgInvalidArgument400missing parameter: user authenticator attestation
Create Sub OrgInvalidArgument400invalid authenticator attestation
Create Sub OrgInvalidArgument400missing parameter: user authenticator attestation auth data
Create Sub OrgResourceExhausted429user has exceeded maximum authenticators
Create Sub OrgResourceExhausted429user has exceeded maximum long-lived api keys
Create Sub OrgResourceExhausted429user has exceeded maximum short-lived api keys
Create Sub OrgInvalidArgument400missing wallet params
Create Sub OrgInvalidArgument400invalid path format
Create Sub OrgInvalidArgument400invalid path
Create Sub OrgInvalidArgument400invalid address format
Create Sub OrgInvalidArgument400invalid curve
Create Sub OrgInvalidArgument400curve required
Approve ActivityNotFound404No activity found with fingerprint. Consensus activities must target an existing activity by fingerprint