Skip to main content

Error handling

The library exposes typed errors through JeapJweError.

export class JeapJweError extends Error {
constructor(
public readonly code: JeapJweErrorCode,
message: string,
public readonly retryable = false,
public override readonly cause?: unknown
) {
super(message);
this.name = 'JeapJweError';
}
}

The cause may carry transport-level detail, such as an HTTP error response. Applications that handle sensitive data should not log it verbatim.

Error codes

The client surfaces both codes raised on the client and codes reported by the backend in the problem+json code field as typed JeapJweError instances.

Codes reported by the backend

CodeMeaning
JWE_REQUEST_ENCRYPTION_REQUIREDThe backend requires the request to be encrypted
JWE_RESPONSE_ENCRYPTION_REQUIREDThe backend requires the response to be encrypted
JWE_RESPONSE_KEY_REQUIREDThe backend requires a JWE-Response-Key
JWE_RESPONSE_KEY_INVALIDThe JWE-Response-Key was rejected by the backend
JWE_INVALID_CONTENT_TYPEThe backend rejected the request content type
JWE_PAYLOAD_TOO_LARGEThe encrypted payload exceeds the backend limit
JWE_UNKNOWN_KEY_IDBackend rejected the key identifier and the request may be retried once

Codes shared by the backend and the client, or raised on the client

CodeMeaning
JWE_MALFORMEDJWE data is syntactically invalid
JWE_UNSUPPORTED_ALGORITHMJWE uses an unsupported alg or enc
JWE_UNSUPPORTED_MEDIA_TYPERequest or response media type is not supported
JWE_REQUEST_SERIALIZATION_FAILEDRequest body could not be serialized
JWE_REQUEST_ENCRYPTION_FAILEDRequest protection failed
JWE_DECRYPTION_FAILEDResponse decryption or authentication failed
JWE_CONFIG_LOAD_FAILEDBackend JWE configuration could not be loaded
JWE_KEY_RETRIEVAL_FAILEDJWKS could not be loaded
JWE_JWKS_INVALIDJWKS is structurally invalid or contains invalid keys

Automatic retry

The client retries a request automatically only on an HTTP 400 problem+json response whose body field code equals JWE_UNKNOWN_KEY_ID. The client refreshes JWKS and retries the original request once. If the retry fails again, the typed error is returned to the application.

Safe error messages

Error messages must not contain:

  • plaintext payloads,
  • compact JWE values,
  • CEKs,
  • private keys,
  • full JWK key material,
  • decrypted response data.

Good example:

new JeapJweError(
'JWE_DECRYPTION_FAILED',
'Failed to decrypt the protected JWE response.'
);

Bad example:

new JeapJweError(
'JWE_DECRYPTION_FAILED',
`Failed to decrypt ${compactJwe} with CEK ${cek}`
);