Skip to main content

Control Zero error code reference

Every user-visible error from the Control Zero SDK and CLI carries a stable E#### code. Each code has its own page on this site; click the code in any error message and you land on the canonical fix.

The SDK codes are defined once in the shared error catalog (sdks/error-catalog/error_codes.yaml) and mean the same thing in the Python and Node SDKs.

The codes are organized by area:

RangeArea
E1000-E1099Security and secrets management
E1100-E1199Authentication and enrollment
E1200-E1299Policy load / validate / bundle
E1300-E1399Approvals (HITL) request / wait flow
E1400-E1499Network and remote backend
E1500-E1599Approval gate, hook subprocess, agent integration
E1600-E1699SDK runtime (guard / audit / close)
E1700-E1799HITL (Human-in-the-Loop) approvals and secrets
E2000-E2099Credential leak detection
E3000-E3299Platform backend (API / SSO)
E4000-E4099Governance gateway

Security and secrets (E10xx)

Authentication and enrollment (E11xx)

Policy load / validate / bundle (E12xx)

Cache and local-disk layout (E13xx)

Network and remote backend (E14xx)

Approval gate and hook subprocess (E15xx)

SDK runtime (E16xx)

HITL approvals and secrets (E17xx)

The approval (human-in-the-loop) flow is in Beta and available on every deployment, including the hosted (SaaS) plan. Approvals are off by default; an administrator turns them on per scope. See Approval Workflow for availability and Set up approvals for the toggle.

Credential leak detection (E20xx)

Platform backend (E3xxx)

Returned by the Control Zero platform API in the structured error body { "error": { "code", "reason_code", "request_id", ... } }. The reason_code is the stable E####; quote the request_id to support so the error can be traced to its logs.

CodeMeaning
E3000Internal server error
E3001Request failed validation
E3002Resource not found
E3003Permission denied
E3004Authentication required or failed
E3005Rate or usage limit exceeded
E3006An upstream dependency is unavailable
E3007State conflict / already exists
E3008Integrity / cross-tenant violation
E3009Service unavailable
E3010Malformed request
E3011CSRF token missing or invalid
E3012Request body exceeds the size cap
E3200SSO not configured for this organization
E3201SSO is configured but invalid
E3202Identity provider unreachable
E3203SSO state missing, expired, or tampered
E3204SSO token / assertion rejected
E3205No role mapping, or tier disallows the role
E3206Account is suspended or inactive

Governance gateway (E4xxx)

Returned by the governance gateway. Enforcement-path failures fail closed: if the gateway cannot complete its policy / DLP / auth checks it denies the request rather than forwarding it.

CodeMeaning
E4000Internal gateway error (non-enforcement path)
E4001Governance evaluation failed; request denied (fail-closed)
E4002Malformed request
E4003Rate limit exceeded
E4004Authentication required or invalid
E4005Governance gateway is not initialized

Reporting a new error you've hit

If controlzero doctor reports a code you can't find a page for, the page hasn't been published yet. Open an issue at github.com/controlzero/control_zero/issues and include the full error message and your controlzero env-dump output (with --show-secrets left OFF).