> ## Documentation Index
> Fetch the complete documentation index at: https://docs.alphapo.net/llms.txt
> Use this file to discover all available pages before exploring further.

# Errors

## 400 Bad Request

### Request body is invalid JSON

```json theme={null}
{"error":"Bad content format", "code":"bad_content_format"}
```

This error can occur for the following reasons:

* **Malformed or invalid JSON.** The request body could not be parsed. Ensure it is valid JSON.
* **Missing Content-Type header.** The `Content-Type` header must be set to `application/json`.

## 403 Forbidden

### Signature header does not match the request body

```json theme={null}
{"error":"Bad signature header", "code":"bad_header_signature"}
```

The value in `X-Processing-Signature` did not match the request body. See [Authentication](/api-reference/authentication) for how to generate the signature correctly. This can happen for several reasons:

* **Signature not converted to string.** The signature is generated from a data array without first converting it to a string. Ensure the signature value is sent as a string.
* **Body modified after signing.** The signed body must be identical to the body that is sent — no reformatting, whitespace changes, or field reordering.
* **Extra characters or spaces.** A code error introduces unexpected characters or spaces. Review your implementation and verify no extra characters are present.
* **Signature built from the full data array.** The signature is created from the entire data array — including the public key and headers — instead of the secret key only. Generate the signature exclusively from the secret key.
* **Public key in wrong parameter (PHP).** In some languages such as PHP, the public key may be mistakenly included in `paramsArray` instead of the request body. Pass the public key in the correct location.
* **Wrong secret key or environment.** Sandbox and production use separate key pairs. Make sure you are using the correct set for the environment you are targeting.

### Signature header is missing

```json theme={null}
{"error":"No signature header", "code":"required_header_signature"}
```

The request does not include the required `X-Processing-Signature` header. Add it with an HMAC-SHA512 signature of the request body.

### API key header does not match your API key

```json theme={null}
{"error":"Bad key header", "code":"bad_header_key"}
```

The value in `X-Processing-Key` did not match any known API key. This can happen for several reasons:

* **Non-whitelisted IP.** If you have configured an IP whitelist in the Merchant Dashboard, requests from any unlisted IP will be rejected. Add the IP to the whitelist, use an already-whitelisted IP, or remove the whitelist entirely.
* **Wrong environment.** Production keys will not work against the sandbox endpoint, and vice versa. Check that the base URL matches the environment your keys belong to.
* **Incorrect or malformed public key.** Verify you are using the correct key. It contains both upper and lower case characters and must be sent exactly as provided — avoid any case transformation in your code.
* **Secret key used instead of public key.** The `X-Processing-Key` header must contain your public key only. The secret key is used exclusively to generate and verify signatures. Refer to [Get your API key](/merchant-administration/generate-and-activate-api-keys) for details.

### API key header is missing

```json theme={null}
{"error":"No key header", "code":"required_header_key"}
```

This error can occur for the following reasons:

* **Missing X-Processing-Key header.** Add the `X-Processing-Key` header with your public API key.
* **Invalid request URL.** Verify the endpoint URL is correct.
