# HTTP Error Codes

This document is the source of truth for backend RFC7807 `code` values consumed by frontend.

## Auth

| code | status | meaning | frontend handling |
|---|---:|---|---|
| `AUTH_SERVICE_UNAVAILABLE` | 503 | Auth upstream unavailable | Show retry message and allow retry |
| `AUTH_TOO_MANY_REQUESTS` | 429 | OTP request throttled | Show wait message |
| `AUTH_VERIFICATION_CODE_INVALID` | 401 | Invalid OTP code | Prompt user to re-enter code |
| `AUTH_REFRESH_TOKEN_INVALID` | 401 | Invalid/expired refresh token | Clear local session and return login |
| `AUTH_REFRESH_TOKEN_MISSING` | 401 | Refresh token missing on logout | Treat as local logout and clear session |
| `AUTH_USER_NOT_FOUND` | 404 | User not found | Show not-found message where applicable |

## Agent Points

| code | status | meaning | frontend handling |
|---|---:|---|---|
| `POINTS_INSUFFICIENT_BALANCE` | 402 | Not enough points to start this run | Show recharge/insufficient-points prompt |

## Agent Session

| code | status | meaning | frontend handling |
|---|---:|---|---|
| `AGENT_SESSION_RUN_LIMIT_EXCEEDED` | 409 | Session already reached max run count (start + 3 follow-ups) | Show run-limit message and require starting a new session |
| `AGENT_DIVINATION_PAYLOAD_REQUIRED` | 422 | Missing required `forwardedProps.divinationPayload` in run request | Prompt user to restart casting flow and resubmit |

Compatibility strategy:

- Additive changes only for new codes.
- Existing codes must keep semantic meaning.
- Frontend must map by `code`, not by `detail` text.