By the end of this tutorial, you’ll have a production-ready error handling wrapper for Claude agents that implements retry logic with exponential backoff, model fallbacks, timeout enforcement, and structured error responses — so your users never hit a blank screen when the API has a bad day. Agent error handling fallbacks are the difference between a toy prototype and something you can actually put in front of customers.
Most Claude agent tutorials stop at the happy path. That’s fine for demos. In production, you’re dealing with rate limits at 2am, network timeouts mid-conversation, overloaded endpoints during peak hours, and the occasional context window overflow. Without explicit fallback logic, all of those manifest as unhandled exceptions or silent failures — neither of which your users will forgive twice.
- Install dependencies — Set up the Anthropic SDK, tenacity for retries, and structlog for observability
- Define your error taxonomy — Categorize API errors by recoverability before writing any retry logic
- Build the retry decorator — Exponential backoff with jitter, respecting rate limit headers
- Implement model fallback chain — Cascade from Sonnet to Haiku when primary model fails
- Add timeout and circuit breaker logic — Prevent cascading failures from slow responses
- Wire up structured error responses — Return graceful degraded output instead of raw exceptions
Step 1: Install Dependencies
You need four packages. The Anthropic SDK is obvious. tenacity is the best Python retry library — more configurable than backoff and actively maintained. structlog gives you machine-readable logs you can actually query when something goes wrong at 3am. anyio handles async timeouts cleanly.
pip install anthropic tenacity structlog anyio
import anthropic
import structlog
import anyio
from tenacity import (
retry,
stop_after_attempt,
wait_exponential_jitter,
retry_if_exception_type,
before_sleep_log,
)
import logging
log = structlog.get_logger()
client = anthropic.Anthropic() # reads ANTHROPIC_API_KEY from env
Step 2: Define Your Error Taxonomy
Not all errors should be retried. Blindly retrying a 400 (bad request) wastes money and time — the request will fail identically every time. The errors worth retrying are transient: rate limits (429), server errors (529, 500, 503), and network timeouts. Everything else should fail fast.
from anthropic import (
RateLimitError,
APIStatusError,
APITimeoutError,
APIConnectionError,
)
# These are worth retrying — transient infrastructure issues
RETRYABLE_ERRORS = (
RateLimitError, # 429 — back off and retry
APITimeoutError, # request timed out
APIConnectionError, # network blip
)
# These indicate a permanent problem with this specific request
NON_RETRYABLE_HTTP_CODES = {400, 401, 403, 404}
def is_retryable(exception: Exception) -> bool:
if isinstance(exception, RETRYABLE_ERRORS):
return True
if isinstance(exception, APIStatusError):
# 500/503/529 are retryable; 400/401/403 are not
return exception.status_code not in NON_RETRYABLE_HTTP_CODES
return False
Step 3: Build the Retry Decorator
Exponential backoff with jitter is non-negotiable for rate-limited APIs. Without jitter, all your retrying clients synchronize and hammer the endpoint together. The wait_exponential_jitter from tenacity adds random spread, which actually helps in practice. For Claude’s rate limits, a 1–60 second window with 3 attempts is a reasonable starting point — adjust based on your tier.
from tenacity import retry_if_exception
def make_resilient_call(
model: str,
messages: list,
max_tokens: int = 1024,
system: str = "",
timeout_seconds: float = 30.0,
) -> anthropic.types.Message:
"""
Single model call with retry logic.
Raises after max attempts so the caller can trigger fallback.
"""
@retry(
retry=retry_if_exception(is_retryable),
stop=stop_after_attempt(3),
wait=wait_exponential_jitter(initial=1, max=60, jitter=5),
before_sleep=before_sleep_log(logging.getLogger(), logging.WARNING),
reraise=True, # re-raise the original exception after exhausting attempts
)
def _call():
return client.messages.create(
model=model,
max_tokens=max_tokens,
system=system,
messages=messages,
)
return _call()
Notice reraise=True — this means after 3 failed attempts, you get the original exception back, not a tenacity wrapper. That matters when your fallback chain needs to inspect the error type.
Step 4: Implement the Model Fallback Chain
The fallback order I use for most production agents: claude-sonnet-4-5 → claude-haiku-4-5 → cached/static response. Sonnet is the default because it handles complex reasoning reliably. If Sonnet is down or rate-limited beyond your retry budget, Haiku almost always responds — it runs on different infrastructure and the pricing difference is roughly 20x, so you’re not burning money on fallbacks. If you want a deeper comparison of when each model fits, this breakdown of Claude agents vs OpenAI Assistants covers the model selection tradeoffs well.
from dataclasses import dataclass
from typing import Optional
@dataclass
class AgentResponse:
content: str
model_used: str
is_fallback: bool
error_context: Optional[str] = None
# Model cascade — primary first, then fallbacks in order
MODEL_CHAIN = [
"claude-sonnet-4-5",
"claude-haiku-4-5",
]
def call_with_fallback(
messages: list,
max_tokens: int = 1024,
system: str = "",
timeout_seconds: float = 30.0,
) -> AgentResponse:
last_error = None
for i, model in enumerate(MODEL_CHAIN):
try:
log.info("agent.call", model=model, attempt_model_index=i)
response = make_resilient_call(
model=model,
messages=messages,
max_tokens=max_tokens,
system=system,
timeout_seconds=timeout_seconds,
)
return AgentResponse(
content=response.content[0].text,
model_used=model,
is_fallback=(i > 0), # True if we had to cascade
)
except Exception as e:
last_error = e
log.warning(
"agent.model_failed",
model=model,
error_type=type(e).__name__,
error_msg=str(e),
)
# Don't retry non-retryable errors on next model in chain —
# a bad request will fail everywhere
if isinstance(e, APIStatusError) and e.status_code in NON_RETRYABLE_HTTP_CODES:
break
# All models exhausted — return graceful degraded response
log.error("agent.all_models_failed", error=str(last_error))
return AgentResponse(
content="I'm unable to process your request right now. Please try again in a moment.",
model_used="none",
is_fallback=True,
error_context=type(last_error).__name__ if last_error else "unknown",
)
Step 5: Add Timeout and Circuit Breaker Logic
The Anthropic SDK’s default timeout is 10 minutes. That’s fine for batch jobs — catastrophic for user-facing agents. A user waiting 10 minutes for a response has already given up and filed a support ticket. Set explicit timeouts and enforce them at the application layer, not just the network layer.
import anyio
async def call_with_timeout(
messages: list,
system: str = "",
max_tokens: int = 1024,
timeout_seconds: float = 25.0,
) -> AgentResponse:
"""
Async wrapper that enforces a hard wall-clock timeout
across the entire fallback chain.
"""
try:
with anyio.fail_after(timeout_seconds):
# Run the synchronous fallback chain in a thread
return await anyio.to_thread.run_sync(
lambda: call_with_fallback(
messages=messages,
system=system,
max_tokens=max_tokens,
timeout_seconds=timeout_seconds - 2, # leave 2s buffer
)
)
except TimeoutError:
log.error("agent.hard_timeout", timeout_seconds=timeout_seconds)
return AgentResponse(
content="Request timed out. The system is under load — please try again.",
model_used="none",
is_fallback=True,
error_context="HardTimeout",
)
For a full circuit breaker (open/half-open/closed states), the pybreaker library integrates cleanly. I’d add it once you’re handling more than ~50 requests/minute — below that, the retry logic above is sufficient. Good observability matters here too: if you’re not logging every fallback event, you won’t know when your primary model is degraded. See our guide on observability for production Claude agents for the full logging and tracing setup.
Step 6: Wire Up Structured Error Responses
The AgentResponse dataclass already handles this, but you need to decide what to surface to users vs. what to log internally. The rule I follow: users get actionable, friendly messages. Your logs get full error context. Never let raw API error messages bubble up to a UI.
def handle_agent_request(user_message: str, system_prompt: str = "") -> dict:
"""
Top-level handler — call this from your API endpoint or workflow.
Returns a dict safe to serialize as JSON.
"""
messages = [{"role": "user", "content": user_message}]
import asyncio
result = asyncio.run(
call_with_timeout(
messages=messages,
system=system_prompt,
max_tokens=1024,
timeout_seconds=25.0,
)
)
response_payload = {
"content": result.content,
"success": result.error_context is None,
}
# Optionally surface degradation signal to frontend
if result.is_fallback and result.model_used != "none":
response_payload["notice"] = "Running on backup systems — response may be slightly limited."
# Internal fields for your observability stack — don't send to users
log.info(
"agent.request_complete",
model_used=result.model_used,
is_fallback=result.is_fallback,
error_context=result.error_context,
)
return response_payload
If you’re running agents in a serverless environment, the timeout configuration changes significantly — cold start times eat into your budget. The comparison of Vercel vs Replicate vs Beam for Claude agents covers what each platform does to your timeout headroom.
Common Errors
Retrying 400 errors and burning through your budget
This happens when your is_retryable check is too broad. A 400 means malformed request — retrying it 3 times just costs you 3x the tokens with identical failure. Always check the HTTP status code before deciding to retry. The taxonomy in Step 2 handles this correctly — don’t skip it.
Timeouts that don’t actually time out
The Anthropic SDK has its own internal timeout, but it won’t cancel a hung network connection reliably in all environments. Using anyio.fail_after at the application layer gives you a guaranteed wall-clock cutoff. If you’re on a serverless platform with a 30-second function limit, set your application timeout to 25 seconds to leave headroom for cleanup.
Fallback response masking real bugs
If your fallback returns a friendly message for every error, you’ll stop seeing actual bugs in production. A 401 (invalid API key) should not be treated the same as a 503. Log the error context with severity levels — errors that indicate misconfiguration should page you, not silently return a canned response. The error_context field in AgentResponse is there for this reason; make sure your monitoring stack actually reads it. Pair this with the agent safety monitoring patterns to catch behavioral drift alongside infrastructure failures.
Cost Implications of Fallback Logic
Retrying 3 times on Sonnet before falling to Haiku costs roughly $0.006 per fallback chain in the worst case (3x Sonnet retries on a 1K token input + output, then 1 Haiku call). At current pricing, that’s acceptable for user-facing requests but adds up fast in batch workflows. For batch processing, I’d set stop_after_attempt(1) on Sonnet and fail immediately to Haiku — you save money and latency. Our batch processing guide covers the full cost optimization approach for high-volume workloads.
What to Build Next
The natural extension here is a per-user circuit breaker that tracks failure rates at the user or session level, not just globally. If a specific user’s requests consistently fail (malformed inputs, context overflows), you want to fail fast for that user’s session without affecting others. Implement this with Redis-backed counters: track failure counts per user_id with a 60-second TTL, and short-circuit to the static fallback if they exceed 5 failures in the window. This prevents one badly-behaved client from triggering cascading retries that burn your rate limit budget for everyone else.
Frequently Asked Questions
How many retry attempts should I configure for Claude API calls?
Three attempts with exponential backoff is the right default for user-facing agents — more than that and your users are waiting too long. For batch jobs where latency doesn’t matter, you can go up to 5 attempts. Always set a wall-clock timeout that’s shorter than your SLA, regardless of attempt count.
What’s the difference between a retry and a fallback model?
A retry calls the same model again after a transient failure. A fallback switches to a different model (or a static response) when retries are exhausted. Use retries for rate limits and network blips; use fallbacks for sustained outages or when the primary model is consistently unavailable. The two patterns work together — exhaust retries first, then cascade to the fallback model.
How do I handle Claude rate limits without hammering the API?
The 429 response includes a retry-after header with the exact wait time. The tenacity library’s wait_exponential_jitter handles this reasonably well as a default, but for precise compliance you should parse the header and use that value directly. Adding jitter prevents thundering herd when multiple agent instances hit the limit simultaneously.
Should I fall back to GPT-4o if Claude is down?
It’s technically feasible but adds significant complexity — different APIs, different system prompt behavior, different output formats. For most production agents, falling back to claude-haiku-4-5 is simpler and keeps you in the same SDK. Cross-provider fallbacks make sense only if your uptime requirements are extreme (99.99%+) and you’ve tested prompt compatibility across both models.
How do I know if my fallback logic is actually working in production?
Log every fallback event with the original error type, the model that was used, and the request metadata. Then build a dashboard or alert on fallback rate — if it spikes above 2-3%, something is wrong with your primary model configuration or you’re hitting a broader API issue. The is_fallback field in the AgentResponse struct is specifically designed to make this easy to track.
Can I use this fallback pattern with streaming responses?
Yes, but timeouts are trickier. With streaming, the connection opens quickly but the full response can take 20–30 seconds. Set your timeout on the first-token latency using the stream context manager, and implement a separate chunk-level timeout to detect stalled streams mid-response. If the stream stalls, you can’t easily retry without restarting from scratch, so log it and return a partial response or error message.
Editorial note: API pricing, model capabilities, and tool features change frequently — always verify current details on the vendor’s website before building in production. Code examples are tested at time of writing; pin your dependency versions to avoid breaking changes. Some links in this article may be affiliate links — we may earn a commission if you sign up, at no extra cost to you.