]> Problem Details for HTTP APIs Akamai
mnot@mnot.net http://www.mnot.net/
status HTTP error problem This document defines a "problem detail" as an extensible way to carry machine-readable details of errors in a HTTP response, to avoid the need to invent new response formats for HTTP APIs. This draft should be discussed on the apps-discuss mailing list.
While HTTP defines the status code as the primary indicator of generic response semantics, it is sometimes not fine-grained enough to convey helpful information about an error, particularly to non-human consumers of so-called "HTTP APIs". Consider a 403 Forbidden response that indicates that the client's account doesn't have enough credit. While this can be adequately expressed in HTML if presented to a human in front of a Web browser, a non-browser client would have difficulty understanding the response, because it doesn't understand the structure of the markup. This specification defines conventions for carrying machine-readable details of errors in a response ("problem details"), to avoid the need to invent new, application-specific response formats. Conceptually, problem details are associated with a generic type (e.g., "out of credit"). Optionally, the specific occurrence of a problem can also be identified (e.g., "when Bob ran out of credit last Tuesday at 5:32 pm"). Both use URIs to assure global uniqueness, and provide the opportunity to fetch further information. Problem details are specified as a JSON object; when occurring in a message body, they use the "application/api-problem+json" media type. defines how to translate problem details to an XML format, for those APIs that need it. Note that problem details are (naturally) not the only way to convey the details of a problem in HTTP; if the response is still a representation of a resource, for example, it's often preferable to accommodate describing the relevant details in that format. Instead, the aim of this specification is to define a common error format for those applications that need one, so that they aren't required to define their own.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in .
The canonical format for problem details is a JSON document, identified with the "application/api-problem+json" media type, whose root MUST be an object. For example:
Here, the out-of-credit problem (identified by its describedBy URI) indicates the reason for the 403 in "title", gives a reference for the specific problem occurrence with "supportId", gives occurrence-specific details in "detail", and adds two extensions; "balance" conveys the account's balance, and "account" gives a link where the account can be topped up. Note that "describedBy" is case-sensitive in the JSON object, as are all other member names.
The root object MUST have the following members: "describedBy" (string) - An absolute URI that identifies the problem type. When dereferenced, it SHOULD provide human-readable documentation for the problem type (e.g., using HTML). "title" (string) - A short, human-readable summary of the problem type. It SHOULD NOT change from occurrence to occurrence of the problem, except for purposes of localisation. Consumers MUST use the describedBy string as the primary identifier for the problem type; the title string is advisory, and included only for users who are not aware of the semantics of the URL, and don’t have the ability to discover them (e.g., offline log analysis). Consumers SHOULD NOT automatically dereference the describedBy URL.
Furthermore, the root object MAY have the following members: "httpStatus" (number) - The HTTP status code set by the origin server for this occurrence of the problem. "detail" (string) - An human readable explanation specific to this occurance of the problem. "supportId" (string) - An absolute URI that identifies the specific occurrence of the problem. It may or may not yield further information if dereferenced. The httpStatus member, if present, is only advisory; it conveys the HTTP status code used for the convenience of the consumer. Generators MUST use the same status code in the actual HTTP response, to assure that generic HTTP software that does not understand this format still behaves correctly. See for further caveats regarding its use. The detail member, if present, SHOULD focus on helping the client correct the problem, rather than giving debugging information. Consumers SHOULD NOT be parse the detail member for information; extensions are more suitable and less error-prone ways to obtain such information.
Finally, problem type definitions MAY extend the root object with additional members. Clients consuming problem details MUST ignore unrecognised extensions; this allows problem types to evolve and include additional information in the future.
Before defining a new type of problem detail, it’s important to understand what they are good for, and what’s better left to other mechanisms. Problem details are not a debugging tool for the underlying implementation; rather, they are a way to expose greater detail about the HTTP interface itself. New problem types need to carefully consider the Security Considerations , in particular the risk of exposing attack vectors by exposing implementation internals through error messages. Likewise, truly generic problems – i.e., conditions that could potentially apply to any resource on the Web – are usually better expressed as plain status codes. For example, a "write access disallowed" problem is probably unnecessary, since a 403 Forbidden status code on a PUT request is self-explanatory. Finally, an application may have a more appropriate way to carry an error in a format that it already defines. Problem details are intended to avoid the necessity of establishing new "fault" or "error" document formats, not to replace existing domain-specific formats. That said, it is possible to add support for problem details to existing HTTP APIs using HTTP content negotiation (e.g., using the Accept request header to indicate a preference for this format). New problem type definitions MUST document: A describedBy URL (typically, with the "http" scheme), A title that appropriately describes it (think short), and The HTTP status code for it to be used with. Problem types MAY specify the use of the Retry-After response header in appropriate circumstances. A problem’s describedBy URL SHOULD resolve to HTML documentation that explains how to resolve the problem. A problem type definition MAY specify additional members on the Problem Details JSON object. For example, an extension might use typed links to another resource that can be used by machines to resolve the problem. If such additional members are defined, their names SHOULD conform to token , so that it can be serialised in formats other than JSON, and SHOULD be three characters or longer. Likewise, problem types defining extensions SHOULD either make their values strings, or explain how to map their values to strings, so that it's possible to include them in other formats.
When defining a new problem type, the information included must be carefully vetted. Likewise, when actually generating a problem – however it is serialised – the details given must also be scrutinised. Risks include leaking information that can be exploited to compromise the system, access to the system, or the privacy of users of the system. Generators providing links to occurrence information are encouraged to avoid making implementation details such as a stack dump available through the HTTP interface, since this can expose sensitive details of the server implementation, its data, and so on. The "httpStatus" member duplicates the information available in the HTTP status code itself, thereby bringing the possibility of disagreement between the two. Their relative precedence is not clear, since a disagreement might indicate that (for example) an intermediary has modified the HTTP status code in transit. As such, those defining problem types as well as generators and consumers of problems need to be aware that generic software (such as proxies, load balancers, firewalls, virus scanners) are unlikely to know of or respect the status code conveyed in this member.
This specification defines two new Internet media types:
Intended usage: COMMON Restrictions on usage: None. Author: Mark Nottingham Change controller: IESG ]]>
Intended usage: COMMON Restrictions on usage: None. Author: Mark Nottingham Change controller: IESG ]]>
The author would like to thank Jan Algermissen, Mike Amundsen, Subbu Allamaraju, Roy Fielding, Sam Johnston, Mike McCall, Julian Reschke, James Snell, and Erik Wilde for early review of this specification (even if some disagree with parts of it).
&rfc2119; &rfc2616; &rfc3023; &rfc3986; &rfc4627; &xml; &xmls; &rfc5988;
Some HTTP-based APIs use XML as their primary format convention. Such APIs MAY express HTTP Problems using the format defined in this appendix. The OPTIONAL XML Schema for the XML format is:
&problem-schema;
The media type for this format is "application/api-problem+xml". Extension arrays and objects can be serialised into the XML format by considering an element containing a child or children to represent an object, except for elements that contain only child element(s) named 'i', which are considered arrays. For example, an alternate version of the example above:
would appear in XML as:
http://example.com/probs/out-of-credit You do not have enough credit. Your current balance is 30, but that costs 50. http://example.net/account/12345/msgs/abc 30 http://example.net/account/12345 http://example.net/account/67890 ]]>