diff --git a/src/controllers/idnot.controller.ts b/src/controllers/idnot.controller.ts
index ff84d8b..6ba6f40 100644
--- a/src/controllers/idnot.controller.ts
+++ b/src/controllers/idnot.controller.ts
@@ -4,7 +4,7 @@ import { IdNotService } from '../services/idnot';
 import { authTokens } from '../utils/auth-tokens';
 import { IdNotUser, AuthToken } from '../types';
 import { Logger } from '../utils/logger';
-import { NotFoundError, ExternalServiceError, BusinessRuleError, UnauthorizedError, ForbiddenError } from '../types/errors';
+import { NotFoundError, ExternalServiceError, BusinessRuleError, UnauthorizedError, ForbiddenError, ValidationError } from '../types/errors';
 
 /**
  * Pure controller methods that handle business logic
@@ -173,7 +173,13 @@ export class IdNotController {
         error: error instanceof Error ? error.message : 'Unknown error'
       });
 
-      if (error instanceof BusinessRuleError || error instanceof ExternalServiceError) {
+      // Laisser passer les erreurs applicatives connues (4xx) pour éviter un 502 côté client
+      if (
+        error instanceof BusinessRuleError ||
+        error instanceof ForbiddenError ||
+        error instanceof UnauthorizedError ||
+        error instanceof ValidationError
+      ) {
         throw error;
       }