200 | Success - accumulated response, or the start of an SSE stream. | response object / SSE |
201 | Resource created - a release, or a Managed Agents session. (Native session create returns 200.) | the resource |
202 | Accepted - async work queued (e.g. a Managed Agents event). | { "accepted": true } |
401 | Missing or invalid credential. | { "detail": "Unauthorized" } |
402 | Budget exhausted - the turn is blocked, or an over-budget org is refused a token mint. | { "detail": { "error": "budget_exhausted", ... } } (see below) |
403 | Forbidden - a metadata end-user id that conflicts with the verified token (identity_mismatch), or an API key lacking the required scope. | { "detail": "..." } |
404 | Not found (unknown agent or no active release), belongs to another org, or a session token scoped to another agent - all shaped identically (default-deny), so the URL space is never a tenant oracle. | { "detail": "..." } |
409 | Conflict - a release exists but is not materialized. | { "detail": "..." } |
422 | Validation failed, or a BYOK key was rejected by the provider. | { "detail": { "error": "byok_key_rejected", "provider": "...", "message": "..." } } |
429 | Too many requests - a rate limit was reached. | { "detail": "..." } + optional Retry-After |
503 | Service unavailable - temporary; back off and retry. | { "detail": "..." } + Retry-After |