Reference

Error codes

Last updated: 2026-06-11

Exceptions raised by the SDK

ExceptionCauseAction
UnauthorizedAccessException An outbound message was denied by policy. Check policy.csv. Either remove the deny rule or add a matching allow rule.
InvalidOperationException: Already in swarm mode EnableSwarmModeAsync called twice on the same client. Swarm mode is irreversible. To change Swarm Key, wipe activation and re-activate.
InvalidOperationException: Cannot enter swarm mode with an empty policy Tried to enable swarm with no rules configured. Add at least one rule before calling EnableSwarmModeAsync.
InvalidOperationException: AuthorizeAsync is only available when AutoEnforce is OFF Called AuthorizeAsync(ciphertext) while AutoEnforce is ON. Call DisableAutoEnforce() first, or use DecryptEnvelopeAsync which auto-enforces.
ArgumentException on AddPolicyRuleAsync Invalid rule (missing field, wrong direction/effect, user realm without matching user identity). Read the exception message; it identifies the specific validation failure.
FormatException: Envelope missing separator Envelope was corrupted or truncated in transit. Verify the transport preserves the envelope bytes intact.

Platform return values

Some SDK methods surface error codes from the HexaEight platform as string return values:

CodeMeaning
-1Generic platform-side failure
-3Identity not authorised to request a key for this recipient
Returned string starts with lowercase dGVsbDA=Decoy ASK — the platform refused to issue a real key (typically activation expired or integrity check failed)
Returned string starts with uppercase DGVsbDA=Real ASK — the operation succeeded

Authorization status values

ValueMeaning
AllowedThe message passed all policy checks. Body is the real plaintext.
DeniedA rule denied the message. Body has been replaced with the redaction marker.
DisabledAutoEnforce was OFF when the message was processed. Body is the real plaintext; no policy check ran.