diff --git a/api-reference/error-codes.mdx b/api-reference/error-codes.mdx
index 8c22b7a..0db2bf2 100644
--- a/api-reference/error-codes.mdx
+++ b/api-reference/error-codes.mdx
@@ -62,8 +62,6 @@ Every code on this page is one `agentsfleetd` can actually emit — the list is
| `UZ-AUTH-004` | 503 | Authentication service unavailable | OIDC provider unreachable |
| `UZ-AUTH-005` | 404 | Session not found | Auth session ID not found or already expired |
| `UZ-AUTH-006` | 401 | Session expired | Auth session timed out before completion |
-| `UZ-AUTH-009` | 403 | Insufficient role | Token role is too low for this endpoint |
-| `UZ-AUTH-010` | 403 | Unsupported role | Token contains an unrecognized role claim |
| `UZ-AUTH-022` | 403 | Insufficient scope | Token lacks the required `resource:action` scope for this endpoint. The `detail` field names the required scope (e.g. `Requires scope fleet:admin`). |
## CLI login
diff --git a/changelog.mdx b/changelog.mdx
index aee513f..36d452c 100644
--- a/changelog.mdx
+++ b/changelog.mdx
@@ -30,6 +30,17 @@ export const STAGE_SELF_MANAGED_M66 = "$0.0001";
- **Approval enforcement** — an approved or denied grant is honored by the fleet's lease path even when the Redis mirror of that decision fails to write. The durable database row is consulted as a fallback, so enforcement can no longer diverge from the approval audit trail.
+
+ ## Error reference matches the server, and provider-credential guidance is accurate
+
+ The error-code reference no longer lists codes the server cannot emit, and the `UZ-PROVIDER-003` hint now describes what a self-managed credential actually requires.
+
+ ## Fixes
+
+ - **`UZ-PROVIDER-003` hint** — now states that `provider` and `model` are required and `api_key` is required only for a named provider (optional for an `openai-compatible` endpoint), matching the credential validator. A client following the old wording would send an unnecessary `api_key`, or misread an unrelated failure as a missing key.
+ - **Error-code reference** — removed the `UZ-AUTH-009` and `UZ-AUTH-010` rows, which have no producer in the server registry (both superseded by `UZ-AUTH-022`). The retired `UZ-AUTH-021` stays as a struck-through historical entry.
+
+
## Add a workspace template from the dashboard