Common Errors

Error codes, their causes, and how to fix them.

This page documents the most common error responses from the KubeWatch API and how to resolve them.

HTTP error reference

Error messageHTTP statusCauseFix
unauthorized401Missing Authorization header or X-API-Key, expired JWT, or revoked API keyRe-authenticate to get a new JWT, or check your API key in Settings → API Keys
invalid token401JWT is malformed, has an invalid signature, or has expiredRe-authenticate. If the error persists, verify JWT_SECRET is consistent across services (self-hosted)
missing org_id claim401JWT was issued without an org_id claim (corrupted or from an old version)Re-authenticate. Contact support if this persists after re-login
org_suspended402Your organization's billing is suspended (failed payment)Update your payment method in Settings → Billing
rate_limit_exceeded429Too many API requests per second for your planReduce request rate, add backoff/retry logic, or upgrade your plan
upstream unavailable502A backend microservice is down or unreachableCheck gateway /health endpoint; self-hosted users check docker compose ps
{"error":"unauthorized"} (from agent)401Agent's API key is wrong or has been revokedRegenerate key in the dashboard and update KUBEWATCH_API_KEY on the agent
org_not_found404The organization associated with the API key no longer existsThe organization may have been deleted; contact support
agent_limit_reached403You've hit the maximum agent count for your planDelete unused agents or upgrade your plan

Self-hosted specific errors

SymptomCauseFix
All services return 502Gateway can't reach backend servicesRun docker compose ps and check which services are Up vs Exit
Login fails with 500Auth service can't reach the databaseCheck docker compose logs auth for DB connection errors; verify DATABASE_URL in .env
Metrics not savingIngestion service crashedCheck docker compose logs ingestion; often a DB schema migration issue on first startup
Dashboard shows blank pageNEXT_PUBLIC_API_URL points to wrong addressUpdate .env and restart the dashboard service
TLS certificate errorsLet's Encrypt cert not issued or expiredCheck docker compose logs nginx; verify DNS points to your server

Agent errors

Log messageCauseFix
failed to connect: dial tcp: connection refusedGateway URL is wrong or gateway is downVerify KUBEWATCH_SERVER_URL and check gateway health
permission denied: /var/run/docker.sockAgent doesn't have Docker socket accessMount the socket and ensure correct permissions (see No Metrics Showing)
push failed: 429 Too Many RequestsPushing too frequentlyIncrease KUBEWATCH_INTERVAL (default is 15s; try 30s)
certificate signed by unknown authoritySelf-hosted with self-signed certSet KUBEWATCH_TLS_SKIP_VERIFY=true (development only) or install a valid cert
agent_limit_reachedOrganization at agent limitDelete unused agents from the dashboard or upgrade the plan

Getting more help

If you can't find the answer here:

  1. Check the GitHub Discussions for community answers
  2. Open a support ticket from Settings → Support in the dashboard
  3. Email support@kubewatchlabs.com

When contacting support, include:

  • Your agent version (docker inspect kubewatch-agent | grep Image)
  • Relevant log output
  • The full error message including HTTP status code