diff --git a/authorization/api.go b/authorization/api.go
index 0d931a0..fc82c46 100644
--- a/authorization/api.go
+++ b/authorization/api.go
@@ -43,10 +43,12 @@ type Request struct {
 
 // Response represents authZ plugin response
 type Response struct {
-
 	// Allow indicating whether the user is allowed or not
 	Allow bool `json:"Allow"`
 
 	// Msg stores the authorization message
 	Msg string `json:"Msg,omitempty"`
+
+	// Err stores a message in case there's an error
+	Err string `json:"Err,omitempty"`
 }
diff --git a/authorization/authz.go b/authorization/authz.go
index 0388391..0ccee4f 100644
--- a/authorization/authz.go
+++ b/authorization/authz.go
@@ -84,6 +84,10 @@ func (a *Ctx) AuthZRequest(w http.ResponseWriter, r *http.Request) error {
 			return err
 		}
 
+		if authRes.Err != "" {
+			return fmt.Errorf(authRes.Err)
+		}
+
 		if !authRes.Allow {
 			return fmt.Errorf(authRes.Msg)
 		}
@@ -107,6 +111,10 @@ func (a *Ctx) AuthZResponse(rm ResponseModifier, r *http.Request) error {
 			return err
 		}
 
+		if authRes.Err != "" {
+			return fmt.Errorf(authRes.Err)
+		}
+
 		if !authRes.Allow {
 			return fmt.Errorf(authRes.Msg)
 		}
diff --git a/authorization/authz_test.go b/authorization/authz_test.go
index f1c844c..369150b 100644
--- a/authorization/authz_test.go
+++ b/authorization/authz_test.go
@@ -19,6 +19,37 @@ import (
 
 const pluginAddress = "authzplugin.sock"
 
+func TestAuthZRequestPluginError(t *testing.T) {
+	server := authZPluginTestServer{t: t}
+	go server.start()
+	defer server.stop()
+
+	authZPlugin := createTestPlugin(t)
+
+	request := Request{
+		User:           "user",
+		RequestBody:    []byte("sample body"),
+		RequestURI:     "www.authz.com",
+		RequestMethod:  "GET",
+		RequestHeaders: map[string]string{"header": "value"},
+	}
+	server.replayResponse = Response{
+		Err: "an error",
+	}
+
+	actualResponse, err := authZPlugin.AuthZRequest(&request)
+	if err != nil {
+		t.Fatalf("Failed to authorize request %v", err)
+	}
+
+	if !reflect.DeepEqual(server.replayResponse, *actualResponse) {
+		t.Fatalf("Response must be equal")
+	}
+	if !reflect.DeepEqual(request, server.recordedRequest) {
+		t.Fatalf("Requests must be equal")
+	}
+}
+
 func TestAuthZRequestPlugin(t *testing.T) {
 	server := authZPluginTestServer{t: t}
 	go server.start()