diff --git a/group/description.go b/group/description.go
index f6eaf81..e85a23e 100644
--- a/group/description.go
+++ b/group/description.go
@@ -17,6 +17,7 @@ import (
 
 var ErrTagMismatch = errors.New("tag mismatch")
 var ErrDescriptionsNotWritable = &NotAuthorisedError{}
+var ErrUnknownPermission = errors.New("unknown permission")
 
 type Permissions struct {
 	// non-empty for a named permissions set
@@ -37,7 +38,7 @@ var permissionsMap = map[string][]string{
 func NewPermissions(name string) (Permissions, error) {
 	_, ok := permissionsMap[name]
 	if !ok {
-		return Permissions{}, errors.New("unknown permission")
+		return Permissions{}, ErrUnknownPermission
 	}
 	return Permissions{
 		name: name,
@@ -112,7 +113,7 @@ func (p *Permissions) UnmarshalJSON(b []byte) error {
 	if err == nil {
 		_, ok := permissionsMap[s]
 		if !ok {
-			return errors.New("Unknown permission " + s)
+			return ErrUnknownPermission
 		}
 		*p = Permissions{
 			name: s,
diff --git a/webserver/webserver.go b/webserver/webserver.go
index b2b5cd8..5e76ed1 100644
--- a/webserver/webserver.go
+++ b/webserver/webserver.go
@@ -124,6 +124,10 @@ func httpError(w http.ResponseWriter, err error) {
 		notFound(w)
 		return
 	}
+	if errors.Is(err, group.ErrUnknownPermission) {
+		http.Error(w, "unknown permission", http.StatusBadRequest)
+		return
+	}
 	var autherr *group.NotAuthorisedError
 	if errors.As(err, &autherr) {
 		log.Printf("HTTP server error: %v", err)