What it means

Your request was not authenticated. This can happen at the gateway (mTLS cert rejected, wrong X-Customer-ID, fingerprint mismatch) or at the upstream VOP provider (PreVOP's own credentials with the provider failed). Check X-Rejected-By-Provider to tell them apart.

When you'll see it

• Your client certificate is not in alseda's trust store for this environment.
• You sent no client certificate at all (TLS handshake did not include one).
• Your X-Customer-ID header does not match any configured customer.
• Your cert fingerprint does not match the fingerprint alseda has stored for your customer record (typically after a cert rotation that was not synchronised with alseda).
• PreVOP's upstream authentication with the VOP provider failed — your request was valid but PreVOP could not reach the provider on your behalf.

Example response

HTTP/1.1 401 Unauthorized
Content-Type: application/problem+json
X-Request-ID: 550e8400-e29b-41d4-a716-446655440000
X-Rejected-By-Provider: false

{
  "type":    "https://errors.prod.prevop.alseda.eu/errors/client-invalid",
  "code":    "CLIENT_INVALID",
  "title":   "Customer not recognized",
  "status":  401,
  "detail":  "X-Customer-ID does not match any active customer"
}

How to fix

1. Check X-Rejected-By-Provider. If false, the gateway rejected you; if true, the upstream provider did — alseda handles provider-side auth, so contact us.
2. Confirm your client certificate is installed correctly in your HTTP client and the TLS handshake is completing with requestCert: true.
3. Verify your X-Customer-ID value is the ten-digit identifier alseda issued to you.
4. If you recently rotated your certificate, upload the new cert via alseda's customer portal OR send the new PEM to your alseda contact so the fingerprint is updated.
5. After any cert change, resend with a fresh X-Request-ID.

Related

• Customer API Contract §2 — mTLS + X-Customer-ID requirements
• See also: CLIENT_INCONSISTENT — credentials authenticated but do not match the payload.