Security & Error Handling

HTTP status codes
Retry strategies
Production security checklist

HTTP status codes

Status	Meaning	Action
`400`	Bad request — validation error, invalid parameters	Fix the request
`401`	Invalid, expired, or missing API key	Check your API key
`403`	Missing required scope	Add the needed scope to your API key
`404`	Resource not found or not in your org	Verify the ID
`409`	Conflict — max attempts, duplicate webhook, etc.	Check business logic constraints
`422`	Grading failed — invalid answer format	Check answer structure matches question type
`429`	Rate limit exceeded	Wait for `Retry-After` seconds, then retry
`500`	Internal server error	Retry after a short delay

Retry strategies

For transient errors (429, 500, 502, 503, 504):

import { EdpireError } from "@edpire/sdk/client"

async function withRetry<T>(fn: () => Promise<T>, maxRetries = 3): Promise<T> {
  for (let attempt = 0; attempt <= maxRetries; attempt++) {
    try {
      return await fn()
    } catch (err) {
      if (err instanceof EdpireError && [429, 500, 502, 503, 504].includes(err.status)) {
        if (attempt === maxRetries) throw err
        const delay = Math.min(1000 * Math.pow(2, attempt), 30000)
        await new Promise((r) => setTimeout(r, delay))
        continue
      }
      throw err // non-retryable
    }
  }
  throw new Error("unreachable")
}

const assessment = await withRetry(() => client.getAssessment("id"))

Production security checklist

Before going live, verify each item:

API key is server-side only

Never expose edp_live_ keys to the browser or commit them to version control. Use environment variables.

Embed tokens for browser

Use POST /embed/token to mint short-lived tokens for browser-side rendering. These expire in 1 hour and are single-use.

Webhook signatures verified

Reject any incoming webhook that fails HMAC-SHA256 verification. Use timingSafeEqual to prevent timing attacks.

Minimum scopes

Each API key has only the scopes it needs. A key that only reads data should not have write:submissions.

Allowed Origins configured

Only your production domains are in the embed allow list. Remove localhost/staging before launch.

learner_ref is server-generated

Never let the client construct or choose the learner_ref. Always generate it server-side from your auth session.

Idempotent webhook handlers

Duplicate events do not cause duplicate records. Check submission_id uniqueness before writing.

Rate limiting handled

Your code respects Retry-After headers and backs off on 429 responses.

No answer keys expected

API responses never contain answer keys. Feedback contains only correctness signals — do not attempt to reverse-engineer correct answers from it.

HTTPS in production

Webhook URLs must use HTTPS. HTTP is only permitted for localhost during development.

Testing Getting Started (Schools)

Getting Started

Developer Guide

For Schools

Security & Error Handling

HTTP status codes

Retry strategies

Production security checklist

Getting Started

Developer Guide

For Schools

​HTTP status codes

​Retry strategies

​Production security checklist

HTTP status codes

Retry strategies

Production security checklist