Structured Error Handling

Design structured API error responses with AI — machine-readable error codes, actionable messages, validation details, and consistent error patterns that help consumers debug instantly.

Premium Course Content

This lesson is part of a premium course. Upgrade to Pro to unlock all premium courses and content.

Access all premium courses
1000+ AI skill templates included
New content added weekly

← Back to course overview

🔄 Quick Recall: In the previous lesson, you built automated documentation systems. Now you’ll design the error handling that determines whether API consumers spend 5 minutes or 5 hours debugging integration issues.

Error responses are the most underdesigned part of most APIs. When everything works, any API feels decent. When something fails — and it will fail — the quality of your error response determines whether the consumer can fix it in minutes or has to open a support ticket. AI helps design structured, consistent error patterns that make every failure a learning experience, not a mystery.

Error Response Schema

AI prompt for error schema design:

Design a standard error response schema for my REST API. Create: (1) a base error structure that every error response follows — with code (machine-readable string), message (human-readable), details (array for field-level errors), request_id (for tracking), and documentation_url (link to the specific error in docs), (2) validation error format — how to represent multiple field errors in a single response with field paths, expected formats, and actual values received, (3) authentication error format — distinguish between missing credentials (401), invalid credentials (401), and insufficient permissions (403), (4) rate limit error format — including retry-after timing and limit details, (5) server error format — what to reveal (request_id for support) and what to hide (no stack traces, no internal details). Generate the OpenAPI schema component and example responses for each type.

Standard error response structure:

{
  "error": {
    "code": "VALIDATION_FAILED",
    "message": "The request contains invalid fields.",
    "details": [
      {
        "field": "email",
        "issue": "must be a valid email address",
        "value": "not-an-email"
      }
    ],
    "request_id": "req_abc123",
    "documentation_url": "https://api.example.com/docs/errors#VALIDATION_FAILED"
  }
}

Error Code Taxonomy

AI prompt for error code catalog:

Create a comprehensive error code catalog for my API. Domain: [DESCRIBE YOUR API]. Organize error codes by category: (1) VALIDATION_* — input validation failures (VALIDATION_FAILED, VALIDATION_MISSING_FIELD, VALIDATION_INVALID_FORMAT, VALIDATION_OUT_OF_RANGE, etc.), (2) AUTH_* — authentication and authorization (AUTH_TOKEN_MISSING, AUTH_TOKEN_EXPIRED, AUTH_INSUFFICIENT_PERMISSIONS, AUTH_ACCOUNT_DISABLED, etc.), (3) RESOURCE_* — resource-related errors (RESOURCE_NOT_FOUND, RESOURCE_ALREADY_EXISTS, RESOURCE_CONFLICT, RESOURCE_GONE, etc.), (4) RATE_* — rate limiting (RATE_LIMIT_EXCEEDED, RATE_LIMIT_BURST, etc.), (5) PAYMENT_* — payment-related if applicable, (6) INTERNAL_* — server errors (INTERNAL_SERVER_ERROR, INTERNAL_SERVICE_UNAVAILABLE, INTERNAL_TIMEOUT). For each code: HTTP status, human-readable message, suggested consumer action, and a documentation section.

Error code mapping:

Error Code	HTTP Status	When It Occurs	Consumer Action
VALIDATION_FAILED	400	Request body fails validation	Check `details` for specific fields
VALIDATION_MISSING_FIELD	400	Required field not provided	Add the missing field from `details`
AUTH_TOKEN_EXPIRED	401	JWT/token has expired	Refresh the token and retry
AUTH_INSUFFICIENT_PERMISSIONS	403	Valid auth, wrong permissions	Request elevated permissions
RESOURCE_NOT_FOUND	404	Requested resource doesn’t exist	Verify the resource ID
RESOURCE_CONFLICT	409	Duplicate or conflicting operation	Check existing resources first
RATE_LIMIT_EXCEEDED	429	Too many requests	Wait for `retry_after_seconds`
INTERNAL_SERVER_ERROR	500	Unexpected server failure	Retry with exponential backoff

✅ Quick Check: A consumer sends a POST /users request with { “email”: “test@test.com”, “name”: "" }. Your validation requires name to be 1-100 characters. Which response is more helpful? Response A: { "error": "Name is required" }. Response B: { "error": { "code": "VALIDATION_FAILED", "details": [{ "field": "name", "issue": "must be between 1 and 100 characters", "value": "" }] } }. (Answer: B — it’s machine-parseable (code), identifies the exact field (name), states the rule (1-100 characters), and shows what was sent (empty string). A consumer’s code can programmatically highlight the name field and display the issue to their end user.)

Error Message Writing

AI prompt for error message improvement:

Review and improve the error messages in my API. Current messages: [LIST YOUR CURRENT ERROR MESSAGES]. For each message, rewrite it to be: (1) Specific — not ‘invalid input’ but ’email must be a valid email address’, (2) Actionable — tells the consumer what to do, not just what’s wrong, (3) Consistent in tone — professional, not blaming (‘The request is missing the required field “name”’ not ‘You forgot to include the name field’), (4) Free of internal details — no database column names, internal service names, or stack traces, (5) Properly formatted — sentence case, no trailing periods in single-line messages. Generate a before/after comparison for each message.

Error message quality levels:

Level	Example	Problem
Bad	“Error” or “Bad Request”	Zero information
Below average	“Invalid email”	Which email? What’s invalid about it?
Average	“The email field must be a valid email address”	Actionable but no context
Good	“The email ’test@test’ is not a valid email address. Expected format: user@domain.com”	Shows what was sent, what’s expected
Excellent	Above + field path + error code + docs link	Machine-parseable + human-readable

Error Handling Middleware

AI prompt for error middleware:

Generate error handling middleware for my [FRAMEWORK — Express.js/FastAPI/Go Gin] API. The middleware should: (1) catch all unhandled errors and format them as my standard error schema, (2) map common framework errors to my error codes (validation errors → VALIDATION_FAILED, auth errors → AUTH_TOKEN_INVALID, not found → RESOURCE_NOT_FOUND), (3) log the full error details internally (including stack trace) but return only the safe error response to consumers, (4) generate a unique request_id for every request (pass it through via header and include in error responses), (5) handle different error types differently: validation errors return field-level details, auth errors include the required permission, rate limit errors include retry-after headers. Include the middleware code and registration instructions.

Key Takeaways

The quality of your error responses determines whether consumers spend 5 minutes or 5 hours debugging: a structured response with error code, field-level details, expected format, and actual value received lets them fix every issue in one pass
String error codes in ALL_CAPS_SNAKE_CASE (VALIDATION_FAILED, RESOURCE_NOT_FOUND) are self-documenting and enable programmatic error handling — numeric codes require a lookup table and mean nothing at a glance
Error messages should be specific, actionable, and free of internal details: “The email ’test@test’ is not valid” is actionable; “Bad Request” and “invalid input” are not; “PostgreSQL constraint violation on column user_email” leaks internal details
Rate limit responses should include both headers (Retry-After, X-RateLimit-Limit/Remaining/Reset) for automated retry logic AND a descriptive body for debugging — consumers shouldn’t have to guess their limits
Error handling middleware transforms error standardization from a discipline problem (each developer formats errors differently) into a systems problem (the middleware enforces the standard automatically)

Up Next

In the next lesson, you’ll build API versioning strategies — how to evolve your API without breaking existing consumers, handle deprecation gracefully, and manage the inevitable breaking changes.

Knowledge Check

1. Your API returns this error: { "error": "Bad Request" }. A consumer gets this when creating an order. They have no idea what's wrong. What's the fix?

Add an HTTP status code — 400 tells them it's a client error A structured error response that tells them exactly what's wrong and how to fix it: { "error": { "code": "VALIDATION_FAILED", "message": "The request body contains invalid fields.", "details": [ { "field": "shipping_address.zip_code", "issue": "must be a 5-digit or 9-digit US zip code", "value": "ABC" }, { "field": "items[0].quantity", "issue": "must be a positive integer", "value": -3 } ], "request_id": "req_abc123" } }. This tells the consumer: what went wrong (validation), which fields are problematic (specific paths), what's expected (validation rules), what they sent (the invalid values), and how to track this error (request_id). The consumer can programmatically fix each issue without guessing Improve the message to 'Invalid order data — please check your request'

2. Your API has 50+ possible error conditions. Some use string error codes ('INVALID_EMAIL'), some use numeric codes (4001, 4002), and some just return HTTP status codes with a message. What's the fix?

Pick either string or numeric codes — both work Standardize on string error codes with a clear taxonomy: (1) Use ALL_CAPS_SNAKE_CASE for machine-readable parsing (VALIDATION_FAILED, RESOURCE_NOT_FOUND, RATE_LIMIT_EXCEEDED), (2) Organize by category: VALIDATION_* for input errors, AUTH_* for authentication/authorization, RESOURCE_* for not found/conflict, RATE_* for throttling, INTERNAL_* for server issues, (3) Create a complete error catalog — every possible error code, its meaning, HTTP status, and suggested consumer action, (4) AI generates the catalog from your codebase by scanning error-throwing code and standardizing the format. String codes are preferred over numeric because they're self-documenting: PAYMENT_CARD_DECLINED is immediately understandable; error code 5023 requires a lookup table Just use HTTP status codes — 400, 401, 403, 404, 500 cover everything

3. A consumer hits your rate limit (429 Too Many Requests). Your response body just says { "error": "Rate limited" }. What should the response include?

A Retry-After header — that's the standard Both the header AND a detailed body: response headers: Retry-After: 30, X-RateLimit-Limit: 100, X-RateLimit-Remaining: 0, X-RateLimit-Reset: 1740442200. Response body: { "error": { "code": "RATE_LIMIT_EXCEEDED", "message": "You've exceeded 100 requests per minute. Retry after 30 seconds.", "details": { "limit": 100, "window": "1 minute", "retry_after_seconds": 30, "reset_at": "2026-02-25T14:30:00Z" } } }. This tells the consumer: their limit (100/min), how long to wait (30 seconds), when the window resets (exact time), and includes both headers (for automated retry logic) and a body (for debugging and logging). AI generates rate limit response templates that include all standard headers and a clear body The 429 status code is enough — consumers should implement exponential backoff

Answer all questions to check

Complete the quiz above first