Do not return internal errors via the API, but manually convert them to something that does not leak information but can be sent to the user.
[ ] Have an error counter and assign each error a unique number. That number gets logged together with the error, and also returned to the user. Then a user can provide information about the error using the error number.
[ ] Report API user errors in the answer of the API.
Do not return internal errors via the API, but manually convert them to something that does not leak information but can be sent to the user.