Error response format
All API errors return a JSON body with an error field describing the problem:
{
"error": "name is required"
}For validation errors with multiple fields, the message may list all issues in a single string.
HTTP status codes
| Status | Meaning | Common causes |
|---|---|---|
200 OK | Request succeeded | — |
400 Bad Request | Invalid request | Missing or malformed body fields |
401 Unauthorized | Not authenticated | Missing or invalid API key |
403 Forbidden | Not authorized | Key exists but lacks permission |
404 Not Found | Resource not found | Wrong ID, or resource belongs to another user |
429 Too Many Requests | Rate limit exceeded | See rate limits below |
500 Internal Server Error | Server error | Retry with backoff; if persistent, contact support |
Rate limits
Rate limits are applied per API key. Current limits:
| Plan | Requests per minute | Requests per day |
|---|---|---|
| Free | 30 | 500 |
| Starter | 60 | 5,000 |
| Growth | 120 | 20,000 |
| Enterprise | 300 | Unlimited |
When you exceed the rate limit, the API returns 429 Too Many Requests with a Retry-After header indicating how many seconds to wait before retrying.
HTTP/1.1 429 Too Many Requests
Retry-After: 15
Content-Type: application/json
{
"error": "Rate limit exceeded. Retry after 15 seconds."
}Tip
Handling 401 errors
A 401 Unauthorized response means your key is missing or invalid. Check:
- The
Authorizationheader is present:Authorization: Bearer wm_your_key. - The key has not been revoked (check Settings → API Keys).
- The key belongs to the correct user account.
Handling 500 errors
Transient 500 errors can occur during deploys or brief outages. Retry up to 3 times with exponential backoff (1s, 2s, 4s). If the error persists, the issue is likely in your request — check the request body and headers.
Pagination
Endpoints that return lists do not currently support pagination. All items are returned in a single response. For accounts with very large datasets, response sizes may be large — filter by account or date where filter parameters are available.
CORS
The API allows cross-origin requests from trusted origins. For direct browser-to-API calls from your own domain, contact support to add your domain to the CORS allowlist. Server-side requests (from your backend) work without CORS configuration.
API versioning
The API is currently unversioned (all paths are /api/...). A versioned prefix (/api/v1/...) will be introduced with the stable release. Migration guides will be published when versioning is introduced.