Error handling

Zulip's API will always return a JSON format response. The HTTP status code indicates whether the request was successful (200 = success, 40x = user error, 50x = server error). Every response will contain at least two keys: msg (a human-readable error message) and result, which will be either error or success (this is redundant with the HTTP status code, but is convenient when printing responses while debugging).

For some common errors, Zulip provides a code attribute. Where present, clients should check code, rather than msg, when looking for specific error conditions, since the msg strings are internationalized (e.g. the server will send the error message translated into French if the user has a French locale).

Each endpoint documents its own unique errors; below, we document errors common to many endpoints:

Invalid API key

A typical failed JSON response for when the API key is invalid:

{
    "msg": "Invalid API key",
    "result": "error"
}

Missing request parameter(s)

A typical failed JSON response for when a required request parameter is not supplied:

{
    "code": "REQUEST_VARIABLE_MISSING",
    "msg": "Missing 'content' argument",
    "result": "error",
    "var_name": "content"
}

User not authorized for query

A typical failed JSON response for when the user is not authorized for a query:

{
    "code": "BAD_REQUEST",
    "msg": "User not authorized for this query",
    "result": "error"
}

User account deactivated

Changes: These errors used the HTTP 403 status code before Zulip 5.0 (feature level 76).

A typical failed json response for when user's account is deactivated:

{
    "code": "USER_DEACTIVATED",
    "msg": "Account is deactivated",
    "result": "error"
}

Realm deactivated

Changes: These errors used the HTTP 403 status code before Zulip 5.0 (feature level 76).

A typical failed json response for when user's organization is deactivated:

{
    "code": "REALM_DEACTIVATED",
    "msg": "This organization is deactivated",
    "result": "error"
}

Rate limit exceeded

The retry-after parameter in the response indicates how many seconds the client must wait before making additional requests.

Changes: The code field was not present in rate limit errors before Zulip 4.0 (feature level 36).

A typical failed JSON response for when a rate limit is exceeded:

{
    "code": "RATE_LIMIT_HIT",
    "msg": "API usage exceeded rate limit",
    "result": "error",
    "retry-after": 28.706807374954224
}

To help clients avoid exceeding rate limits, Zulip sets the following HTTP headers in all API responses:

  • X-RateLimit-Remaining: The number of additional requests of this type that the client can send before exceeding its limit.
  • X-RateLimit-Limit: The limit that would be applicable to a client that had not made any recent requests of this type. This is useful for designing a client's burst behavior so as to avoid ever reaching a rate limit.
  • X-RateLimit-Reset: The time at which the client will no longer have any rate limits applied to it (and thus could do a burst of X-RateLimit-Limit requests).

Zulip's rate limiting rules are configurable, and can vary by server and over time. The default configuration currently limits:

  • Every user is limited to 200 total API requests per minute.
  • Separate, much lower limits for authentication/login attempts.

When the Zulip server has configured multiple rate limits that apply to a given request, the values returned will be for the strictest limit.