One document matched: draft-nottingham-http-problem-02.xml
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE rfc SYSTEM "http://xml.resource.org/authoring/rfc2629.dtd" [
<!ENTITY rfc2119 SYSTEM 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml'>
<!ENTITY rfc2616 SYSTEM 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2616.xml'>
<!ENTITY rfc3023 SYSTEM 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3023.xml'>
<!ENTITY rfc3986 SYSTEM 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3986.xml'>
<!ENTITY rfc4627 SYSTEM 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4627.xml'>
<!ENTITY rfc5987 SYSTEM 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.5987.xml'>
<!ENTITY rfc5988 SYSTEM 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.5988.xml'>
<!ENTITY xml SYSTEM 'http://xml.resource.org/public/rfc/bibxml4/reference.W3C.REC-xml-20081126.xml'>
<!ENTITY xmls SYSTEM 'http://xml.resource.org/public/rfc/bibxml4/reference.W3C.REC-xmlschema-0-20041028.xml'>
<!ENTITY problem-schema SYSTEM 'http-problem-02.xsd'>
]>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<?rfc toc="yes" ?>
<?rfc tocdepth="3" ?>
<?rfc tocindent="yes" ?>
<?rfc symrefs="yes" ?>
<?rfc sortrefs="yes"?>
<?rfc iprnotified="no" ?>
<?rfc strict="yes" ?>
<?rfc compact="yes" ?>
<?rfc comments="yes" ?>
<?rfc inline="yes" ?>
<rfc ipr="trust200902" docName="draft-nottingham-http-problem-02" category="info">
<front>
<title abbrev="Problem Details">Problem Details for HTTP APIs</title>
<author initials="M." surname="Nottingham" fullname="Mark Nottingham">
<organization>Akamai</organization>
<address>
<email>mnot@mnot.net</email>
<uri>http://www.mnot.net/</uri>
</address>
</author>
<date year="2012"/>
<keyword>status</keyword>
<keyword>HTTP</keyword>
<keyword>error</keyword>
<keyword>problem</keyword>
<abstract>
<t>This document defines a "problem detail" as an extensible
way to carry machine-readable details of errors in a HTTP response,
to avoid the need to invent new response formats for HTTP APIs.</t>
</abstract>
<note title="Note to Readers">
<t>This draft should be discussed on the <eref
target="https://www.ietf.org/mailman/listinfo/apps-discuss">apps-discuss
mailing list</eref>.</t>
</note>
</front>
<middle>
<section title="Introduction">
<t>While HTTP <xref target="RFC2616"/> defines the status code as the
primary indicator of generic response semantics, it is sometimes not
fine-grained enough to convey helpful information about an error,
particularly to non-human consumers of so-called "HTTP APIs".</t>
<t>Consider a 403 Forbidden response that indicates that the client's
account doesn't have enough credit. While this can be adequately
expressed in HTML if presented to a human in front of a Web browser, a
non-browser client would have difficulty understanding the response,
because it doesn't understand the structure of the markup.</t>
<t>This specification defines conventions for carrying machine-readable
details of errors in a response ("problem details"), to avoid the need
to invent new, application-specific response formats.</t>
<t>Conceptually, problem details are associated with a generic type
(e.g., "out of credit"). Optionally, the specific occurrence of a
problem can also be identified (e.g., "when Bob ran out of credit last
Tuesday at 5:32 pm"). Both use URIs to assure global uniqueness, and
provide the opportunity to fetch further information.</t>
<t>Problem details are specified as a JSON <xref target="RFC4627"/>
object; when occurring in a message body, they use the
"application/api-problem+json" media type. <xref target="xml-syntax"/>
defines how to translate problem details to an XML format, for those
APIs that need it.</t>
<t>Note that problem details are (naturally) not the only way to convey
the details of a problem in HTTP; if the response is still a
representation of a resource, for example, it's often preferable to
accommodate describing the relevant details in that format.</t>
<t>Instead, the aim of this specification is to define a common error
format for those applications that need one, so that they aren't
required to define their own.</t>
</section>
<section title="Requirements">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <xref
target="RFC2119"/>.</t>
</section>
<section title="The Problem Details JSON Object">
<t>The canonical format for problem details is a JSON <xref
target="RFC4627"/> document, identified with the
"application/api-problem+json" media type, whose root MUST be an object.</t>
<t>For example:</t>
<figure><artwork><![CDATA[
HTTP/1.1 403 Forbidden
Content-Type: application/api-problem+json
Content-Language: en
{
"describedBy": "http://example.com/probs/out-of-credit",
"title": "You do not have enough credit.",
"detail": "Your current balance is 30, but that costs 50.",
"supportId": "http://example.net/account/12345/msgs/abc",
"balance": 30,
"account": "http://example.net/account/12345"
}]]></artwork></figure>
<t>Here, the out-of-credit problem (identified by its describedBy URI)
indicates the reason for the 403 in "title", gives a reference for the
specific problem occurrence with "supportId", gives occurrence-specific
details in "detail", and adds two extensions; "balance" conveys the
account's balance, and "account" gives a link where the account can be
topped up.</t>
<t>Note that "describedBy" is case-sensitive in the JSON object, as are
all other member names.</t>
<section title="Required Members">
<t>The root object MUST have the following members:</t>
<t><list style='symbols'>
<t>"describedBy" (string) - An absolute URI <xref
target="RFC3986"/> that identifies the problem type. When
dereferenced, it SHOULD provide human-readable documentation for
the problem type (e.g., using HTML).</t>
<t>"title" (string) - A short, human-readable summary of the
problem type. It SHOULD NOT change from occurrence to occurrence of
the problem, except for purposes of localisation.</t>
</list></t>
<t>Consumers MUST use the describedBy string as the primary
identifier for the problem type; the title string is advisory, and
included only for users who are not aware of the semantics of the
URL, and don’t have the ability to discover them (e.g., offline log
analysis). Consumers SHOULD NOT automatically dereference the
describedBy URL.</t>
</section>
<section title="Optional Members">
<t>Furthermore, the root object MAY have the following members:</t>
<t><list style='symbols'>
<t>"httpStatus" (number) - The HTTP status code set by the origin
server for this occurrence of the problem.</t>
<t>"detail" (string) - An human readable explanation specific to
this occurance of the problem.</t>
<t>"supportId" (string) - An absolute URI that identifies the
specific occurrence of the problem. It may or may not yield
further information if dereferenced.</t>
</list></t>
<t>The httpStatus member, if present, is only advisory; it conveys the
HTTP status code used for the convenience of the consumer. Generators
MUST use the same status code in the actual HTTP response, to assure
that generic HTTP software that does not understand this format still
behaves correctly. See <xref target="security-considerations"/> for
further caveats regarding its use.</t>
<t>The detail member, if present, SHOULD focus on helping the
client correct the problem, rather than giving debugging
information.</t>
<t>Consumers SHOULD NOT be parse the detail member for information;
extensions are more suitable and less error-prone ways to obtain
such information.</t>
</section>
<section title="Extension Members">
<t>Finally, problem type definitions MAY extend the root object with
additional members.</t>
<t>Clients consuming problem details MUST ignore unrecognised
extensions; this allows problem types to evolve and include additional
information in the future.</t>
</section>
</section>
<section anchor="defining" title="Defining New Problem Types">
<t>Before defining a new type of problem detail, it’s important to
understand what they are good for, and what’s better left to other
mechanisms.</t>
<t>Problem details are not a debugging tool for the underlying
implementation; rather, they are a way to expose greater detail about
the HTTP interface itself. New problem types need to carefully consider
the Security Considerations <xref target="security-considerations"/>, in
particular the risk of exposing attack vectors by exposing
implementation internals through error messages.</t>
<t>Likewise, truly generic problems – i.e., conditions that could
potentially apply to any resource on the Web – are usually better
expressed as plain status codes. For example, a "write access
disallowed" problem is probably unnecessary, since a 403 Forbidden
status code on a PUT request is self-explanatory.</t>
<t>Finally, an application may have a more appropriate way to carry
an error in a format that it already defines. Problem details
are intended to avoid the necessity of establishing new "fault" or
"error" document formats, not to replace existing domain-specific
formats.</t>
<t>That said, it is possible to add support for problem details to
existing HTTP APIs using HTTP content negotiation (e.g., using the
Accept request header to indicate a preference for this format).</t>
<t>New problem type definitions MUST document:
<list style="numbers">
<t>A describedBy URL (typically, with the "http"
scheme),</t>
<t>A title that appropriately describes it (think
short), and</t>
<t>The HTTP status code for it to be used with.</t>
</list></t>
<t>Problem types MAY specify the use of the Retry-After response
header in appropriate circumstances.</t>
<t>A problem’s describedBy URL SHOULD resolve to HTML documentation
that explains how to resolve the problem.</t>
<t>A problem type definition MAY specify additional members on the
Problem Details JSON object. For example, an extension might use
typed links <xref target="RFC5988"/> to another resource that can be
used by machines to resolve the problem.</t>
<t>If such additional members are defined, their names SHOULD conform
to token <xref target="RFC2616"/>, so that it can be serialised in
formats other than JSON, and SHOULD be three characters or longer.</t>
<t>Likewise, problem types defining extensions SHOULD either make their
values strings, or explain how to map their values to strings, so that
it's possible to include them in other formats.</t>
</section>
<section anchor="security-considerations" title="Security Considerations">
<t>When defining a new problem type, the information included must be
carefully vetted. Likewise, when actually generating a problem –
however it is serialised – the details given must also be
scrutinised.</t>
<t>Risks include leaking information that can be exploited to
compromise the system, access to the system, or the privacy of users
of the system.</t>
<t>Generators providing links to occurrence information are encouraged
to avoid making implementation details such as a stack dump available
through the HTTP interface, since this can expose sensitive details of
the server implementation, its data, and so on.</t>
<t>The "httpStatus" member duplicates the information available in the
HTTP status code itself, thereby bringing the possibility of
disagreement between the two. Their relative precedence is not clear,
since a disagreement might indicate that (for example) an intermediary
has modified the HTTP status code in transit. As such, those defining
problem types as well as generators and consumers of problems need to
be aware that generic software (such as proxies, load balancers,
firewalls, virus scanners) are unlikely to know of or respect the
status code conveyed in this member.</t>
</section>
<section title="IANA Considerations">
<t>This specification defines two new Internet media types:</t>
<figure><artwork><![CDATA[
Type name: application
Subtype name: api-problem+json
Required parameters: None
Optional parameters: None; unrecognised parameters
should be ignored
Encoding considerations: Same as [RFC4627]
Security considerations: see [this document]
Interoperability considerations: None.
Published specification: [this document]
Applications that use this media type: HTTP
Additional information:
Magic number(s): n/a
File extension(s): n/a
Macintosh file type code(s): n/a
Person & email address to contact for further information:
Mark Nottingham <mnot@mnot.net>
Intended usage: COMMON
Restrictions on usage: None.
Author: Mark Nottingham <mnot@mnot.net>
Change controller: IESG
]]></artwork></figure>
<figure><artwork><![CDATA[
Type name: application
Subtype name: api-problem+xml
Required parameters: None
Optional parameters: None; unrecognised parameters
should be ignored
Encoding considerations: Same as [RFC3023]
Security considerations: see [this document]
Interoperability considerations: None.
Published specification: [this document]
Applications that use this media type: HTTP
Additional information:
Magic number(s): n/a
File extension(s): n/a
Macintosh file type code(s): n/a
Person & email address to contact for further information:
Mark Nottingham <mnot@mnot.net>
Intended usage: COMMON
Restrictions on usage: None.
Author: Mark Nottingham <mnot@mnot.net>
Change controller: IESG
]]></artwork></figure>
</section>
<section title="Acknowledgements">
<t>The author would like to thank
Jan Algermissen,
Mike Amundsen,
Subbu Allamaraju,
Roy Fielding,
Sam Johnston,
Mike McCall,
Julian Reschke,
James Snell, and
Erik Wilde
for early review of this specification (even if some disagree
with parts of it).
</t>
</section>
</middle>
<back>
<references title="Normative References">
&rfc2119;
&rfc2616;
&rfc3023;
&rfc3986;
&rfc4627;
</references>
<references title="Informative References">
&xml;
&xmls;
&rfc5988;
</references>
<section anchor="xml-syntax" title="HTTP Problems and XML">
<t>Some HTTP-based APIs use XML <xref
target="W3C.REC-xml-20081126"/> as their primary format convention. Such
APIs MAY express HTTP Problems using the format defined in this
appendix.</t>
<t>The OPTIONAL XML Schema <xref target="W3C.REC-xmlschema-0-20041028"/>
for the XML format is:</t>
<figure><artwork>&problem-schema;</artwork></figure>
<t>The media type for this format is "application/api-problem+xml".</t>
<t>Extension arrays and objects can be serialised into the XML format by
considering an element containing a child or children to represent an
object, except for elements that contain only child element(s) named 'i',
which are considered arrays. For example, an alternate version of the
example above:</t>
<figure><artwork><![CDATA[
HTTP/1.1 403 Forbidden
Content-Type: application/api-problem+json
Content-Language: en
{
"describedBy": "http://example.com/probs/out-of-credit",
"title": "You do not have enough credit.",
"detail": "Your current balance is 30, but that costs 50.",
"supportId": "http://example.net/accounts/12345/msgs/abc",
"more": {
"balance": 30,
"accounts": [
"http://example.net/account/12345",
"http://example.net/account/67890"
]
}
}]]></artwork></figure>
<t>would appear in XML as:</t>
<figure><artwork><![CDATA[
HTTP/1.1 403 Forbidden
Content-Type: application/api-problem+xml
Content-Language: en
<problem>
<describedBy>http://example.com/probs/out-of-credit</describedBy>
<title>You do not have enough credit.</title>
<detail>Your current balance is 30, but that costs 50.</detail>
<supportId>http://example.net/account/12345/msgs/abc</supportId>
<more>
<balance>30</balance>
<accounts>
<i>http://example.net/account/12345</i>
<i>http://example.net/account/67890</i>
</accounts>
</more>
</problem>]]></artwork></figure>
</section>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 15:00:28 |