Error responses are intentionally compact but are not normalized into a single global envelope. Different routes return different shapes depending on context. Use the status code as the primary signal, then inspect the body for details.
Common error shape
Most management and utility routes return errors in this shape:
{
"error": "Some error label or message",
"message": "Optional human-readable detail"
}
Webhook ingest error shape
Validation failures on ANY /webhook/:id often include the webhook ID and a link to the docs:
{
"error": "Webhook ID not found or expired",
"id": "wh_abc123",
"docs": "https://apify.com/ar27111994/webhook-debugger-logger"
}
Replay timeout error shape
When a replay request exhausts its retry budget, the response includes a machine-readable code field:
{
"error": "Replay Failed",
"message": "Target destination timed out after 3 attempts (10s timeout per attempt)",
"code": "ECONNABORTED"
}
HTTP status codes
| Code | Description |
|---|
400 | Invalid parameters, JSON Schema validation failures, or unsafe replay URL |
401 | Missing or invalid auth key, or failed signature verification |
403 | Source IP is not in the configured allowedIps allowlist |
404 | Webhook or log not found, invalid webhook/log pairing, or missing offloaded payload |
413 | Payload exceeds the configured maxPayloadSize limit |
422 | Recursive self-referential forwarding loop detected |
429 | Rate limit exceeded (management or webhook ingest) |
500 | Internal server error |
503 | Readiness probe not ready, SSE connection limit reached, or similar temporary unavailability |
504 | Replay or forward timeout across all retry attempts |
SSRF protection
The following URL categories are blocked for replay destinations, forwarding targets, and alert webhooks. Requests targeting these ranges return a 400 error.
| Category | Blocked ranges |
|---|
| Private networks | 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 |
| Loopback | 127.0.0.0/8, ::1 |
| Link-local | 169.254.0.0/16, fe80::/10 |
| Cloud metadata | 169.254.169.254, 100.100.100.200 |
| Unresolvable hostnames | Any hostname that cannot be resolved safely |
SSRF protection applies to all outbound requests the server makes on your behalf: replay, forwarding, and alert webhook delivery.
