Error Handling & Troubleshooting
Complete Kakunin troubleshooting guide. Step-by-step resolution steps for common integration mistakes, empty scopes, rate limits, and KMS errors.
Error Response Format
All Kakunin errors return a standard JSON object containing a descriptive string:
{
"error": "Descriptive explanation of the error condition."
}[!IMPORTANT] Production Best Practice: Do not match/parse the literal
errorstring in your application logic. Strings may be updated for clarity. Always branch your code logic using the standard HTTP Status Code.
Troubleshooting Guide & Resolution Steps
Below are the most common error states encountered during SDK integration, along with their root causes and concrete fix procedures.
1. Certificate Scope is Empty (Actions Not Authorized)
- Symptom: Your integration fails during pre-flight checks (
allowed = false) even though you defined scopes. When inspecting the agent or certificate metadata, the scope list is empty. - Root Cause: You registered the agent using the legacy metadata parameter
"scopes"instead of the required"permitted_actions"key. - Resolution Steps:
- Locate the agent creation code (e.g.
client.agents.create(...)). - Modify the
metadatapayload structure to map actions underpermitted_actions:// ❌ INCORRECT legacy mapping metadata: { - scopes: ["trade.execute", "market.read"] } // CORRECT v1 mapping metadata: { + permitted_actions: ["trade.execute", "market.read"] } - Re-register the agent or update its metadata, then call
/certifyagain.
- Locate the agent creation code (e.g.
2. Tenant Boundary Isolation Conflict (404 Not Found or 403 Forbidden)
- Symptom: Calls to
/agents/{id}or/eventsreturn404 Not Foundeven though the Agent ID exists in your code. - Root Cause: You are executing requests using an API key that belongs to a different Tenant than the one that registered the target agent. Under Kakunin RLS (Row Level Security) rules, resources outside your tenant scope are treated as non-existent to prevent scanning.
- Resolution Steps:
- Verify the environment variables loading
KAKUNIN_API_KEY. - Match the key prefix: Sandbox keys (
kak_test_...) and Live keys (kak_live_...) belong to separate databases. An agent registered in Sandbox cannot be fetched with a Live key. - Log the
tenant_idreturned during agent registration to ensure it aligns with your client configuration.
- Verify the environment variables loading
3. AWS KMS Service Failures (503 Service Unavailable)
- Symptom: Issuing a certificate (
POST /agents/{id}/certify) or signing a delegation chain returns a503status with the error:"KMS signing service unavailable". - Root Cause: The Kakunin Certificate Authority encountered a timeout or credential connection failure while attempting to reach AWS KMS in
eu-west-1. - Resolution Steps:
- This error is transient. Implement a retry strategy with exponential backoff:
async function certifyWithRetry(agentId: string, retries = 3, delay = 1000) { for (let i = 0; i < retries; i++) { try { const cert = await client.agents.certify(agentId); return cert; } catch (err) { if (i === retries - 1) throw err; await new Promise(res => setTimeout(res, delay * Math.pow(2, i))); } } }
- This error is transient. Implement a retry strategy with exponential backoff:
4. Rate Limiting (429 Too Many Requests)
- Symptom: Rapid event ingestion or risk-checking calls are blocked with a
429status. - Root Cause: The client exceeded the allowed request throughput on Upstash Redis rate limit counters.
- Resolution Steps:
- Check the response headers to inspect limits and reset timings:
X-RateLimit-Limit: 1000 # Max allowed requests in the window X-RateLimit-Remaining: 0 # Available requests Retry-After: 15 # Seconds you must wait before retrying - In your API client, check the
Retry-Afterheader value and schedule execution to pause:if (res.status === 429) { const retryAfterSeconds = parseInt(res.headers.get('Retry-After') || '1', 10); await new Promise(resolve => setTimeout(resolve, retryAfterSeconds * 1000)); // Resubmit request }
- Check the response headers to inspect limits and reset timings:
5. Auto-Revocation Triggers on Anomaly Spikes
- Symptom: An agent suddenly returns
status: "revoked"and certificate verification fails. - Root Cause: The real-time behavioral risk engine detected an event scoring
≥ 0.85(e.g. prompt injection, unauthorized bulk asset transfer) and triggered the AWS KMS-backed automatic cert revocation "kill switch". - Resolution Steps:
- Inspect the agent's recent event stream via the dashboard to identify the high-risk action.
- Once the security vulnerability is resolved, update the agent profile status back to
pending. - Re-issue the certificate by invoking
client.agents.certify(agentId)(this generates a new certificate with a fresh serial number).