kycert API Error Codes and Troubleshooting Guide

The kycert API returns standard HTTP status codes alongside a consistent JSON error body. Every error response — from authentication failures to validation issues — follows the same envelope structure, so you can write generic error-handling logic and then branch on the code field for specific conditions.

Error response format

All error responses use this structure:

{
  "error": {
    "type": "invalid_request_error",
    "code": "invalid_document",
    "message": "CPF/CNPJ com quantidade de dígitos incorreta.",
    "param": "subject.doc"
  }
}

Field	Type	Description
`type`	string	Error category — use for broad classification in error handling
`code`	string	Specific machine-readable code — use for programmatic logic
`message`	string	Human-readable description of what went wrong
`param`	string \| null	The request field that caused the error, when applicable

HTTP status codes

Status	Meaning	Common causes
`200`	OK	Request succeeded
`202`	Accepted	Run queued for async processing — wait for webhook
`400`	Bad Request	Invalid parameters, malformed document, unknown API version
`401`	Unauthorized	Missing or invalid API key
`402`	Payment Required	Insufficient credits or suspended billing account
`403`	Forbidden	Valid key, but insufficient scope for this operation
`404`	Not Found	Run or resource does not exist, or belongs to another tenant
`429`	Too Many Requests	Rate limit exceeded — check `Retry-After` header
`500`	Internal Server Error	Unexpected server-side failure — retry with backoff; include `request_id` in support requests

Error codes

HTTP	`type`	`code`	When it occurs	What to do
`400`	`invalid_request_error`	`missing_subject`	`subject.doc` or `subject.type` is absent	Add the missing field to the request body
`400`	`invalid_request_error`	`invalid_document`	CPF or CNPJ has the wrong number of digits	Validate the document format before sending
`400`	`invalid_request_error`	`invalid_subject_type`	`subject.type` is not `pf` or `pj`	Use `"pf"` for individuals, `"pj"` for legal entities
`400`	`invalid_request_error`	`subject_type_mismatch`	Template is PJ but `subject.type` is `"pf"`, or vice versa	Verify the template type in the dashboard
`400`	`invalid_request_error`	`missing_template_id`	`template_id` is absent from the request body	Include `template_id`
`400`	`invalid_request_error`	`template_not_found`	`template_id` is inactive, incorrect, or belongs to another tenant	Check the template ID in the dashboard
`400`	`invalid_request_error`	`invalid_json`	Request body is malformed JSON	Check your serialization logic
`400`	`invalid_request_error`	`invalid_metadata`	`metadata` is not a flat key-value object or contains non-string values	Ensure all metadata values are strings
`400`	`invalid_request_error`	`invalid_cursor`	Pagination cursor is corrupted	Use the cursor returned by `GET /bureau/runs` without modification
`400`	`invalid_request_error`	`run_not_found`	`run_id` does not exist or belongs to another tenant	Verify the run ID
`400`	`invalid_request_error`	`unknown_api_version`	The `x-kycert-api-version` header specifies an unrecognized version	Use `2026-06-03` or omit the header
`401`	`authentication_error`	`missing_api_key`	No `X-API-Key` header or `Authorization: Bearer` token	Add the authentication header
`401`	`authentication_error`	`invalid_api_key`	Key is revoked, inactive, or does not exist	Verify the key in the dashboard
`402`	`billing_error`	`billing_suspended`	Insufficient credit balance or account suspended	Add credits in the dashboard
`403`	`authorization_error`	`insufficient_scope`	Key lacks the required scope	Create a new key with the needed scope
`403`	`authorization_error`	`subject_type_not_allowed`	Key is restricted to PF but request is PJ (or vice versa)	Check the key’s allowed subject types
`429`	`server_error`	`rate_limit_exceeded`	Too many requests within the rate limit window	Wait for the `Retry-After` duration and retry
`500`	`server_error`	`internal_error`	Unexpected internal failure	Retry with exponential backoff; contact support with the response
`500`	`server_error`	`run_failed`	Bureau run failed to start	Retry the run

Rate limiting

The kycert API enforces per-key rate limits. When you exceed the limit, the API returns 429 Too Many Requests. Every API response includes rate limit headers:

Header	Description
`X-RateLimit-Limit`	Maximum requests allowed per minute for this key
`X-RateLimit-Remaining`	Requests remaining in the current window
`X-RateLimit-Reset`	Unix timestamp when the current window resets
`Retry-After`	Seconds to wait before retrying (present on `429` responses)

const res = await fetch('https://admin.kycert.com.br/api/v1/bureau/runs', {
  method: 'POST',
  headers: {
    'X-API-Key': process.env.KYCERT_API_KEY!,
    'Content-Type': 'application/json',
  },
  body: JSON.stringify(payload),
})

if (res.status === 429) {
  const retryAfter = parseInt(res.headers.get('retry-after') ?? '60', 10)
  console.log(`Rate limited. Retrying in ${retryAfter}s.`)
  await new Promise(r => setTimeout(r, retryAfter * 1000))
  // retry the request
}

Idempotency

Use the Idempotency-Key header on POST /bureau/runs to make retries safe. If you send the same Idempotency-Key value within 24 hours, the API returns the original response without creating a duplicate run. kycert stores the idempotency key as a keyed hash scoped to your tenant, with a 24-hour TTL. This means the same key value used by two different tenants does not conflict.

curl -X POST https://admin.kycert.com.br/api/v1/bureau/runs \
  -H "X-API-Key: sk_live_your_key_here" \
  -H "Content-Type: application/json" \
  -H "Idempotency-Key: a3f9b2c1-4e78-4d0a-9b2e-1c3f5e7a9d2b" \
  -d '{
    "template_id": "550e8400-e29b-41d4-a716-446655440000",
    "subject": { "type": "pf", "doc": "12345678901" },
    "external_id": "cust_abc123"
  }'

Use a UUID v4 or any sufficiently random string as the key value. Tie it to the specific operation in your system — for example, derive it from your internal customer ID and the operation type — so retries after a network failure always send the same key.

Without an Idempotency-Key, every retry of a POST /bureau/runs request creates a new run and consumes credits. Always include an idempotency key when retrying failed or timed-out requests.

Retry strategy

Recommended retry strategy

Apply this pattern for all kycert API calls. Respect Retry-After on 429 responses, use exponential backoff on 5xx errors, and never retry 4xx errors other than 429 — they indicate a problem with the request itself that will not resolve on its own.

async function fetchWithRetry(
  url: string,
  options: RequestInit,
  maxRetries = 3,
): Promise<Response> {
  for (let attempt = 0; attempt < maxRetries; attempt++) {
    const res = await fetch(url, options)

    // Success
    if (res.ok || (res.status >= 200 && res.status < 300)) return res

    // 429: respect the Retry-After header
    if (res.status === 429) {
      const retryAfter = parseInt(res.headers.get('retry-after') ?? '60', 10)
      await new Promise(r => setTimeout(r, retryAfter * 1000))
      continue
    }

    // 5xx: exponential backoff
    if (res.status >= 500) {
      if (attempt < maxRetries - 1) {
        await new Promise(r => setTimeout(r, 1000 * 2 ** attempt))
        continue
      }
      return res
    }

    // 4xx (except 429): do not retry — fix the request
    return res
  }

  throw new Error('Max retries reached')
}

Status	Retry?	Wait
`4xx` (except `429`)	No	Fix the request
`429`	Yes	Value of `Retry-After` header
`5xx`	Yes	Exponential backoff: 1s, 2s, 4s, …

Always pair retries on POST /bureau/runs with an Idempotency-Key to prevent duplicate runs.

​Error response format

​HTTP status codes

​Error codes

​Rate limiting

​Idempotency

​Retry strategy

Error response format

HTTP status codes

Error codes

Rate limiting

Idempotency

Retry strategy