Skip to Content
Errors403 Forbidden

403 Forbidden

The request reached the governance chain but was blocked by a policy. No tokens were consumed at the provider. The governance_stage field identifies which check blocked it.

Error codes

pii_detected

{
  "error": {
    "code": "pii_detected",
    "message": "Request blocked: PII detected in prompt (patterns: email, ssn). Remove sensitive data before retrying.",
    "request_id": "req_01hwz3kj4p5qm8n9v2t6yg",
    "governance_stage": "pii_scan",
    "patterns_matched": ["email", "ssn"]
  }
}

Cause: The PII scanner found matching patterns in your prompt. The request was blocked before reaching the provider.

Fix options:

  1. Remove the PII from the prompt — use generic placeholders instead of real data
  2. Redact before sending — use the CM redaction helper:
from curate_me.gateway import CurateGateway
 
gw = CurateGateway(api_key="cm_sk_your_key")
 
# Redact PII before it enters the prompt
redacted_text, redaction_map = gw.redact("John Doe's email is john@company.com")
# redacted_text: "{{NAME_1}}'s email is {{EMAIL_1}}"
 
response = gw.openai().chat.completions.create(
    model="gpt-4o",
    messages=[{"role": "user", "content": redacted_text}],
)
# Optionally un-redact the response
result = gw.unredact(response.choices[0].message.content, redaction_map)
  1. Adjust the PII policy — if the pattern is a false positive, contact support to tune the allowlist for your org

PII patterns include: email, SSN, credit card, phone number, passport, driver’s license, IP address, AWS key, GitHub token, OpenAI key, and 23 more. See the PII troubleshooting reference.

prompt_injection_detected

{
  "error": {
    "code": "prompt_injection_detected",
    "message": "Request blocked: prompt injection pattern detected. Review your prompt for instruction override attempts.",
    "request_id": "req_01hwz3kj4p5qm8n9v2t6yh",
    "governance_stage": "content_safety"
  }
}

Cause: The content safety scanner detected a pattern matching known prompt injection techniques (e.g., “ignore previous instructions”, “you are now DAN”).

Fix: Review your prompt template. If this is a false positive (e.g., you’re building a security tool that analyzes injection patterns), contact support — the AI security classifier can be tuned for your use case.

jailbreak_detected

{
  "error": {
    "code": "jailbreak_detected",
    "message": "Request blocked: content policy violation detected.",
    "request_id": "req_01hwz3kj4p5qm8n9v2t6yi",
    "governance_stage": "content_safety"
  }
}

Fix: Review the prompt for content that bypasses safety restrictions. If this is a legitimate use case (security research, red teaming), contact support to adjust your org’s content safety policy.

security_violation

{
  "error": {
    "code": "security_violation",
    "message": "Request blocked by security scanner: encoded payload detected.",
    "request_id": "req_01hwz3kj4p5qm8n9v2t6yj",
    "governance_stage": "security_scan"
  }
}

Cause: The advanced security scanner detected encoded payloads, exfiltration patterns, or other security-flagged content. This stage runs after the content safety check and uses more aggressive pattern matching.

model_not_allowed

{
  "error": {
    "code": "model_not_allowed",
    "message": "Model 'gpt-4o' is not in the allowlist for this organization. Allowed models: [claude-haiku-4-5, gpt-4o-mini].",
    "request_id": "req_01hwz3kj4p5qm8n9v2t6yk",
    "governance_stage": "model_allowlist",
    "requested_model": "gpt-4o",
    "allowed_models": ["claude-haiku-4-5", "gpt-4o-mini"]
  }
}

Cause: Your organization has a model allowlist configured and the requested model is not on it.

Fix options:

  1. Use an allowed model — switch your request to one of the allowed_models
  2. Expand the allowlist — Dashboard → Settings → Governance → Model Allowlist
# Add gpt-4o to the allowlist
curl -X POST https://api.curate-me.ai/v1/admin/governance/model-allowlist \
  -H "X-CM-API-Key: cm_sk_your_key" \
  -H "Content-Type: application/json" \
  -d '{"action": "add", "model": "gpt-4o"}'

insufficient_scope

{
  "error": {
    "code": "insufficient_scope",
    "message": "This operation requires the 'gateway_admin' scope. Your key has scopes: [gateway_proxy].",
    "request_id": "req_01hwz3kj4p5qm8n9v2t6yl",
    "required_scope": "gateway_admin",
    "key_scopes": ["gateway_proxy"]
  }
}

Cause: You’re calling an admin endpoint (e.g., /v1/admin/*) with a key that only has proxy scope.

Fix: Use a key with gateway_admin scope, or generate a new admin key in Dashboard → Settings → API Keys. Choose “Admin” key type.

False-positive reduction

If legitimate requests are being blocked, the AI security classifier (governance stage 4.7) runs after content safety and security scan to reduce false positives. If you’re still seeing blocks on legitimate prompts:

  1. Note the request_id from the error
  2. Go to Dashboard → Traces → find the request → click “Report False Positive”
  3. Or contact support@curate-me.ai with the request ID

False positive reports are reviewed within 24 hours for paid plans and 72 hours for free plans.

402 Payment Required409 Conflict