List returns
GET/returns
Read-only and list-only. Returns are created on devices and synced upstream. There is no get-by-id: GET /returns/{id} returns 405, as does any POST/PUT/DELETE. Fetch returns by paging this list.
Request
Responses
- 200
- 400
- 401
- 403
- 405
- 429
A page of returns
RFC 7807 problem
No API key was sent (missing Authorization header). Returned by the gateway as {"message":"Unauthorized"}, NOT RFC 7807, and without X-Request-Id. Note: a key that IS sent but is invalid/unknown/revoked/ expired returns 403 (see the Forbidden response), not 401.
A key was sent but rejected by the authorizer: the key is invalid / unknown / revoked / expired, OR its IP allow-list blocked the source IP, OR the key is newly created and not yet activated (~1 min propagation). Gateway-shaped and NOT RFC 7807, and without X-Request-Id. The body is the raw AWS authorizer-deny JSON with a CAPITAL Message: {"Message":"User is not authorized to access this resource with an explicit deny in an identity-based policy"}. This is an AWS string that may change — branch on the 403 status, not the body text.
RFC 7807 problem
Rate limit exceeded for this organization (metered per tenantId). Note: enforced by the API gateway, so the body is gateway-shaped ({"message":"Too Many Requests"}, with x-amzn-errortype: TooManyRequestsException), NOT RFC 7807, and without X-Request-Id. A Retry-After header is not guaranteed (the burst-rate throttle does not send one) — back off with your own exponential backoff and branch on the status, not the body text.