Common Errors

Here are some common errors that may be encountered while using the API or SDKs. If you run into an error that is not listed here and you are unable to debug it, contact

You may also find the list of HTTP Responses helpful in troubleshooting.

General Errors

Signature data did not match expected result

This error occurs when something is wrong with the signature used in the Authorization Section. Make sure you are using the HMAC-SHA256 algorithm and base-64 encoding to create the signature. Refer to the Authorization Section for steps to fix this error.

Timestamp out of acceptable time range

Every API call to ThreatConnect requires a Timestamp header that is within five minutes of the ThreatConnect server’s system time. If you get this error, you are passing in a Timestamp that does not line up with ThreatConnect system time. Refer to the Timestamp Section for steps to fix this error.

Access Denied

This error occurs when one of the values in the Authorization Header is incorrect, or when you are making a request to an owner to which the API account you are using does not have access.

Creating Indicators

There are a few details to keep in mind when creating certain Indicator types.

ASN Indicators

When creating an ASN Indicator in ThreatConnect, the AS Number must be prefixed with “ASN” and should not include a space between the prefix (“ASN”) and the AS Number. There are some examples of correct and incorrect indicator formats below.



CIDR Range Indicators with IPv6 Addresses

When creating a CIDR Range Indicator that is based on an IPv6 Address, the CIDR Range must be formatted very specifically. There can be no leading zeros in any of the sections unless that section contains only a zero. CIDR Ranges based on compressed IPv6 Addresses (e.g. 2001:db8:1234::/48) are not accepted. CIDR Ranges based on expanded/exploded IPv6 Addresses (e.g. 2001:0DB8:1234:0000:0000:0000:0000:0000) are also not accepted. Any section with 0000 must be replaced with a single zero (0). There are some examples below which demonstrate acceptable and unacceptable forms.

abc:def:10:0:0:0:0:0/48 # CORRECT

abc:def:10::/48 # INCORRECT - compressed IPv6 addresses not accepted
0abc:def:10:0:0:0:0:0/48 # INCORRECT - leading zero on first section
abc:0def:10:0:0:0:0:0/48 # INCORRECT - leading zero on second section
abc:def:0010:0:0:0:0:0/48 # INCORRECT - leading zeros on third section
abc:def:10:0000:0000:0000:0000:0000/48 # INCORRECT - expanded/exploded IPv6 addresses not accepted

The Python3 script below will format a CIDR Range (as the incoming_cidr_range variable) into the desired format:

import ipaddress

incoming_cidr_range = "2001:db8:1234::/48"
desired_cidr_range = "2001:db8:1234:0:0:0:0:0/48"

address_sections =[section.replace("0000", "xxxx").lstrip("0") for section in ipaddress.IPv6Network(incoming_cidr_range).exploded.split(":")]

formatted_cidr_range = ":".join(address_sections)
formatted_cidr_range = formatted_cidr_range.replace("xxxx", "0")

assert formatted_cidr_range == desired_cidr_range


The script above only works with Python3.

Host Indicators

When creating a Host Indicator in ThreatConnect, the host must be in ASCII. This means that Unicode Host Indicators (e.g. internationalized domain names), must be represented as Punycode. # CORRECT


Registry Key Indicators

Key Name

When creating a Registry Key Indicator in ThreatConnect, the Key Name for the Registry Key must start with one of the following values:



If a Registry Key starts with HKLM\, this must be changed to HKEY_LOCAL_MACHINE\ before the Key can be created in ThreatConnect.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\001 # CORRECT

HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\001 # INCORRECT

Value Name

When creating a Registry Key Indicator in ThreatConnect via the API, the Value Name for the Registry Key is required, although you do not need to specify a value. For example, to create a Registry Key with an empty value name, use the following request:


The space in the value for the Value Name field is important. Without it, the API will return an error. The API will handle this request as though no value name was given.

URL Indicators

When creating a URL Indicator in ThreatConnect, the domain name of the URL must be lowercase. There are some examples of correct and incorrect indicator formats below. # CORRECT # INCORRECT

Additionally, the domain name of a URL must be in ASCII (if it is internationalized , it must be represented as Punycode as described here).