code field in the error response body to drive error-handling logic in your integration. The message field is human-readable and intended for logging and debugging.
HTTP errors
Error response format
Most error responses return anerror object with a machine-readable code and a message:
extra field appears on 400 responses only. It lists the specific fields that failed validation.
404 responses use a different shape: {"detail": "Not Found."} rather than the standard error object.Status codes
Response examples
400 Bad Request
400 Bad Request
Each entry in
invalid-params carries a field (the offending parameter name) and a message (the validation reason).403 Forbidden
403 Forbidden
404 Not Found
404 Not Found
410 Gone
410 Gone
The most common trigger is calling Recovery
POST /v1/link-access-tokens/ with a public_token that was already exchanged or has aged out — public_token is single-use and short-lived. Less commonly, the upstream bridge_token has expired (valid for 6 hours from creation).See the
bridge_token → public_token → access_token flow for the full token lifecycle.429 Too Many Requests
429 Too Many Requests
Rate limits
Truv applies rate limits to protect platform stability and to keep latency predictable for every customer. Limits apply per access secret key. Sandbox and production have separate keys, so their limits are tracked independently.Standard limits
The 300/minute limit covers all API requests authenticated with a given access secret key, across every endpoint. Requests over the limit return a
429 Too Many Requests error.
The per-access_token refresh limit covers POST /v1/refresh/tasks/ and GET /v1/refresh/tasks/{task_id}/, plus GET /v1/links/{link_id}/ re-fetches. Requests beyond the allowed window return the error message Refresh limit for the access_token exceeded. See the canonical Links and Refresh reference pages for the per-endpoint detail.
These are the defaults for new accounts. Higher limits are available — see Request a higher limit below.
Handle 429 responses
When a request exceeds a rate limit, Truv returns429 Too Many Requests with error.code: throttled. The connection is not penalized — subsequent requests succeed once your traffic drops back under the limit.
Respect the Retry-After response header on 429 responses. The value is the number of seconds to wait before retrying. If the header is not present, fall back to exponential backoff starting at 1 second and capped at 60 seconds.
Always check the response status before sleeping. The pseudocode above retries only on
429; on 5xx responses, Truv-side error retry guidance applies instead. On 2xx or 4xx other than 429, return the response immediately — never retry blindly.Best practices
- Webhooks over polling. Polling for status changes burns through your rate limit. Subscribe to
order-status-updatedandtask-status-updatedand only call the API when a webhook fires. - Stagger bulk jobs. Spread high-volume work across time rather than bursting it, so you stay under the 300 / minute limit.
- Refresh deliberately. The per-
access_tokenrefresh limit is designed for human-paced re-verification. Programmatic refresh on every page load exhausts the limit within minutes. - Don’t retry blindly. Order creation is not idempotent — retrying a failed
POST /v1/orders/creates a new Order. Store your application-level reference and de-duplicate before retrying.
Request a higher limit
Higher limits are available on request. To request one, contact your Truv Technical Account Manager or email support@truv.com with:- Truv account name and environment (sandbox or production).
- Current peak RPM and target peak RPM.
- Time window when peaks occur (e.g., 7–9 PM ET on weekdays).
- Use case context — e.g., “Recertification batch — 50,000 applicants over a 4-hour window.”
Task error states
For all task error states, their causes, and recommended actions, see Task Lifecycle — Error states. Subscribe totask-status-updated webhooks to receive error notifications in real time.
Bridge errors
Truv Bridge fires client-side errors through theonEvent callback when type === 'ERROR'. These are distinct from task error states — they fire in the browser during the connection flow, not through webhooks.
LOGIN_ERROR, MFA_ERROR, UNAVAILABLE, NO_DATA, LINK_EXISTS, ERROR), error object shape, and recommended fallback routing, see Bridge Events — Errors.
Document processing errors
For document upload errors —config_error and no_data messages, fraud detection, and the complete review workflow — see Fraud & Manual Review.
Webhook delivery retries
For webhook timeout, retry policy, and signature verification, see Webhooks — delivery and retries.Next steps
Task Lifecycle
Complete task status flow and error state transitions
Bridge Events
Client-side error codes and fallback routing
Fraud & Manual Review
Document fraud detection and review workflows
Webhooks
Real-time notifications for task and order status changes