API Error Response Analyzer

Analyze API error responses for quality, traceability, exposed stack traces, and RFC 7807 compliance

Enter an API error response JSON to analyze for quality, traceability, and security issues

What is the API Error Response Analyzer?

The API Error Response Analyzer inspects your API error response JSON for quality issues, missing traceability fields, exposed stack traces, and non-standard error structures. It checks whether your error responses follow best practices like RFC 7807 Problem Details, calculates a quality score, and suggests improvements to make your API errors consistent, secure, and developer-friendly.

How to Use

  1. Paste your API error response JSON into the input field
  2. Click "Analyze" or wait for automatic processing
  3. Review the quality score and detected issues
  4. Check the suggested RFC 7807 structure for your error
  5. Export the report for your team in JSON or Markdown format

Example: Poorly Structured Error Response

This error response has several issues the analyzer will detect:

{
  "status": 500,
  "error": "Internal Server Error",
  "message": "Cannot read property 'id' of undefined",
  "stack": "TypeError: Cannot read property 'id'...\n    at handler (/app/src/routes/users.js:42:15)",
  "exception": "NullPointerException in UserService"
}

What Is Checked?

  • Stack trace exposure — Detects internal stack traces that reveal file paths, library versions, and code structure to potential attackers
  • Missing request ID — Every error should include a unique requestId for correlating client errors with server logs
  • Missing correlation ID — Distributed systems need correlationId to track requests across microservices
  • Missing trace ID — traceId enables integration with distributed tracing tools (OpenTelemetry, Jaeger)
  • Missing timestamp — ISO 8601 timestamps help correlate errors with server events
  • HTTP error classification — Identifies client errors (4xx) vs server errors (5xx) with appropriate guidance
  • RFC 7807 compliance — Checks for standard Problem Details fields: type, title, status, detail, instance
  • Sensitive field exposure — Detects fields like exception, internalMessage that should not be in production responses

RFC 7807 Problem Details Format

RFC 7807 defines a standard format for HTTP API error responses. The analyzer suggests a compliant structure for your error with these fields:

  • type — URI identifying the error type (e.g., https://api.example.com/errors/not-found)
  • title — Short, human-readable summary of the problem
  • status — The HTTP status code
  • detail — Human-readable explanation specific to this occurrence
  • instance — URI reference identifying the specific occurrence

API Error Response Best Practices

  • Never expose stack traces, file paths, or internal implementation details in production
  • Include a unique requestId in every error response for log correlation
  • Add timestamps in ISO 8601 format to help with debugging timelines
  • Use RFC 7807 Problem Details for consistent, machine-readable errors
  • Return generic messages for 5xx errors — log details server-side only
  • Include correlationId for requests that span multiple services
  • Differentiate between client errors (user fixable) and server errors (team fixable)

Privacy and Security

All analysis runs entirely in your browser using JavaScript. Your API error response — which may contain internal paths, service names, or sensitive debug information — is never transmitted to any server. No data is stored, logged, or shared.

Frequently Asked Questions

What does the API Error Response Analyzer check?

The analyzer inspects your API error response JSON for quality issues: it detects common error fields (error, message, status, code, detail), classifies HTTP status codes (4xx client vs 5xx server errors), checks for missing traceability fields (requestId, correlationId, traceId, timestamp), detects exposed stack traces, and suggests a cleaner error structure based on RFC 7807 Problem Details.

What is RFC 7807 and why should I follow it?

RFC 7807 (Problem Details for HTTP APIs) defines a standard format for error responses using fields: type (URI identifying the error type), title (short summary), status (HTTP status code), detail (human-readable explanation), and instance (URI of the specific occurrence). Following it makes your API errors consistent, machine-readable, and easier to handle by any HTTP client.

Why is exposing a stack trace in API responses dangerous?

Stack traces reveal internal file paths, library versions, framework details, and code structure. Attackers can use this information to identify known vulnerabilities in your dependencies, understand your architecture, and craft more targeted attacks. Always log stack traces server-side and return a generic error message with a requestId to clients.

What traceability fields should an error response include?

A well-designed error response should include at minimum a requestId (unique per request for log correlation), a timestamp (ISO 8601 format), and ideally a correlationId (for multi-service flows) and traceId (for distributed tracing systems like OpenTelemetry, Jaeger, or Zipkin).

How is the quality score calculated?

The score starts at 100 and deducts points based on findings: exposed stack traces (critical, -25 points), missing requestId (high, -15 points), sensitive fields like exception details (high, -15 points), missing correlationId or traceId (medium, -8 points each), and non-standard structure or missing timestamp (low, -3 points each).

Is my API response data sent to any server?

No. All analysis runs entirely in your browser using JavaScript. Your error response JSON is never transmitted, stored, or logged on any server. This makes it safe to paste production error responses containing internal details.

What JSON formats are supported?

The tool accepts any valid JSON object representing an API error response. It handles common formats including simple { "error": "message" } structures, nested objects, arrays of validation errors, and RFC 7807 Problem Details objects. Arrays at the top level are not supported — the tool expects a JSON object.

What should I do with the suggested structure?

The suggested structure provides an RFC 7807-compliant template based on your error response. Use it as a reference to standardize your API error responses: replace the example type URI with your own error taxonomy, fill in the actual detail message, and ensure requestId and timestamp are generated by your server for every error response.

What is the maximum input size?

The tool warns when input exceeds 500KB and rejects input larger than 5MB. Typical API error responses are well under 10KB. If you encounter the size limit, paste only the relevant error response portion.

Related Tools

HTTP Header Inspector

Parse and analyze HTTP headers with explanations for common headers

Api Tools

OpenAPI Viewer

View and explore OpenAPI 3.x specifications with interactive documentation

Api Tools

JWT Security Auditor

Audit JWT tokens for algorithm vulnerabilities, missing claims, excessive expiration, and sensitive data exposure

Security