HTTP Status Codes Guide: Practical Reference for API Developers

HTTP status codes are organized into five classes by their leading digit. Understanding what each class communicates is more important than memorizing individual codes, because the class tells clients how to handle the response before they parse the body.

The 1xx Informational class is rarely encountered in API development. The most relevant is 100 Continue, which a server sends when it has received request headers and the client should proceed with sending the body. The 101 Switching Protocols response is used for WebSocket upgrades — the client sends an Upgrade header requesting WebSocket, and the server responds with 101 to confirm the protocol switch.

The 2xx Success class means the request was received, understood, and accepted. The specific code carries important semantic meaning that API clients use to drive their behavior. 200 OK is the general success response for GET, PUT, and PATCH operations that return a body. 201 Created should be returned for POST requests that create a new resource — it signals creation specifically and should include a Location header pointing to the new resource. 204 No Content signals success with no response body, which is appropriate for DELETE operations and some PUT or PATCH operations where the client does not need the updated resource echoed back. 206 Partial Content is used for range requests, where a client requested only a byte range of a large file.

The 3xx Redirection class means the client must take additional action to complete the request. 301 Moved Permanently tells the client and its caches that the resource has permanently moved. 302 Found is a temporary redirect that is not cached. 304 Not Modified is the response to a conditional GET using ETag or Last-Modified — it tells the client the resource has not changed and it can use its cached version. 307 Temporary Redirect and 308 Permanent Redirect preserve the original HTTP method on the redirected request, unlike 302 and 301 which historically caused browsers to convert POST to GET on redirect.

The 4xx Client Error class means the request contains an error that the client is responsible for fixing. The server understood the request but cannot or will not process it as sent. The 5xx Server Error class means the server encountered an unexpected condition while processing a valid request. Clients typically retry 5xx responses because the server failure may be transient, while 4xx responses indicate a problem with the request itself that retrying will not fix.

The first debugging step for any API failure is to confirm what status code is being returned. This sounds obvious, but many API clients wrap responses in try-catch blocks around JSON parsing and throw generic errors that hide the HTTP status. JavaScript's fetch() is particularly misleading — it does not throw for 4xx or 5xx responses. A fetch call to an endpoint returning 500 resolves successfully and response.ok is false, but no exception is thrown. You must check response.ok or response.status after every fetch call to detect HTTP-level errors.

When debugging API responses, open the browser DevTools Network tab and click on the failing request. The Status column shows the code. The Response Headers panel shows additional context: Location on 3xx responses, WWW-Authenticate on 401 responses, Retry-After on 429 and 503 responses, and X-Request-ID or trace identifiers that help correlate the request with server-side logs. The Response tab shows the error body, which well-designed APIs use to provide machine-readable error codes alongside the HTTP status.

For server-side debugging, check whether the status code being returned matches the intent of the handler. Add temporary logging that prints the status code and the response body for every request in development. This often reveals that error handlers are returning 500 for input validation failures, or that framework defaults are overriding carefully crafted status codes. In Express, if an async handler throws an unhandled exception, the default error handler returns 500 regardless of what the exception object says.

Use /tools/http-request-builder to send requests to your API and inspect the raw status code, headers, and body. This tool bypasses any client-side error handling and shows exactly what the server returns. Test the endpoint with missing required fields to confirm it returns 400 or 422, with no authentication to confirm it returns 401, and with an authenticated but unauthorized user to confirm it returns 403. Testing these cases explicitly before shipping an API prevents consumers from writing error handling based on incorrect status codes.

For third-party APIs, the status code is often the fastest way to diagnose a problem. 401 means the API key is missing, invalid, or expired. 403 means the API key is valid but the account lacks access to that endpoint, often due to pricing tier. 429 means the rate limit has been exceeded and the Retry-After header tells you when to resume. 503 with a Retry-After means the service is temporarily unavailable and will return. Each of these requires a different response from the client and a different resolution strategy.

The most impactful status code decisions in API design are the ones that distinguish between closely related codes. Getting these distinctions right prevents consumer confusion and enables automatic error handling.

200 versus 201 versus 204: Use 200 for GET, PUT, and PATCH that return the resource. Use 201 for POST that creates a new resource, and include a Location header with the URL of the new resource. Use 204 for DELETE and for PUT or PATCH operations where you choose not to return the updated resource in the body. Never return 200 with an empty body where 204 is more accurate — some clients treat an unexpected empty body as a parse error.

400 versus 422: Use 400 Bad Request for syntactically malformed requests — a JSON body that fails to parse, a required URL parameter that is missing entirely, or an integer field that contains a string. Use 422 Unprocessable Entity for requests that are syntactically valid but fail semantic validation — a JSON body that parses correctly but contains a value outside the allowed range, a date that is in the past when a future date is required, or a combination of fields that are individually valid but mutually exclusive. The distinction matters because clients may treat 400 as a programming error and 422 as a user input error.

401 versus 403: Use 401 Unauthorized (counterintuitively named) when the request lacks valid authentication credentials. Include a WWW-Authenticate header that tells the client which authentication scheme to use. Use 403 Forbidden when the request is properly authenticated but the authenticated identity lacks permission for the requested resource. If a user is authenticated as a regular user but tries to access an admin endpoint, 403 is correct. If no token is sent at all or the token is expired, 401 is correct. The distinction drives automatic token refresh behavior in API clients.

503 with Retry-After: When an API is temporarily unavailable due to maintenance, overload, or a dependency outage, return 503 Service Unavailable with a Retry-After header in seconds. This tells load balancers to route around the instance, tells clients how long to wait before retrying, and distinguishes planned downtime from unexpected failures. 502 Bad Gateway indicates the load balancer or proxy received an invalid response from the upstream server — it is returned by the infrastructure, not the application.

For APIs with clients that may use the /tools/http-request-builder tool for manual testing, return structured error bodies alongside the status code. Include a machine-readable error code string, a human-readable message, and when applicable, a field name indicating which part of the request caused the error. This allows both automated error handling and human debugging without requiring the client to decode the status code alone.

GraphQL always returns 200 OK regardless of whether the query succeeded or failed. Errors are communicated through an errors array in the response body. A GraphQL request that hits a missing field, a permission error, or a resolver exception all return 200 with the errors array populated. This is intentional in the GraphQL specification — HTTP status codes represent transport-level success (the request was received and processed), not application-level success (the query returned the expected data). When building clients that consume GraphQL APIs, always check for the errors array even when the HTTP status is 200.

Conditional GET requests with ETags demonstrate why 304 Not Modified is important for performance. The client sends an If-None-Match header containing the ETag value from a previous response. If the resource has not changed, the server returns 304 with no body — saving the bandwidth cost of transmitting the unchanged resource. If the resource has changed, the server returns 200 with the new body and a new ETag. Omitting ETag support means every GET request transfers the full response body even when the client already has the current version cached.

The 410 Gone status communicates permanent removal more precisely than 404. Both indicate the resource is not available, but 410 tells search engine crawlers and smart clients that the resource will never exist at this URL again. Using 410 for deleted resources that were previously indexed by search engines allows crawlers to remove them from their index faster than if they return 404. This is useful during content migrations or when deliberately retiring API endpoints. Return 410 with a response body explaining where the replacement resource can be found.

HTTP/2 and HTTP/3 use the same status codes as HTTP/1.1. The version of the protocol does not change the semantic meaning of any status code. If you see a 200 over HTTP/2 or HTTP/3, it means the same thing as 200 over HTTP/1.1. The protocol version affects framing and multiplexing but not application-layer semantics.

Custom status codes in the 4xx and 5xx range are occasionally used by APIs but are not part of the HTTP specification. Some systems use 499 for client-closed requests or 522 for connection timeouts at the CDN layer. These are vendor-specific and should not be used in application code. Stick to registered IANA status codes to maintain compatibility with standard HTTP infrastructure like load balancers, proxies, and monitoring systems.

Returning 200 with an error body is the most harmful status code mistake because it defeats every layer of standard HTTP error handling. Load balancers that retry 5xx responses do not retry 200 responses. Monitoring systems that alert on error status rates miss 200 responses containing error objects. Client-side fetch wrappers that check response.ok see true for 200 and skip error handling. The pattern appears in some older API designs where the body contains a success: false field, but it forces every consumer to implement custom error detection logic instead of relying on HTTP semantics. Always return a 4xx or 5xx status for error conditions.

Not checking fetch()'s response.ok is the corresponding client-side mistake. JavaScript's fetch() only throws for network errors — DNS failures, connection refused, or the request being aborted. An HTTP 500 response resolves the fetch promise successfully. Code like fetch(url).then(r => r.json()).then(doSomething) will call doSomething with whatever the server returned, including error bodies. Add if (!response.ok) throw new Error(response.status) or similar error handling after every fetch call.

Returning 500 for all unhandled exceptions exposes internal error details and inflates server error metrics. When a handler throws because a required query parameter is missing, that is a 400. When it throws because a database record was not found, that is 404. When it throws because the user lacks permission, that is 403. Only genuine server-side failures — unhandled exceptions, database connection errors, third-party service timeouts — should return 500. Add a global exception handler that distinguishes business logic errors from infrastructure errors and maps them to appropriate status codes.

Omitting the Location header on 201 Created responses forces API consumers to make a second request to discover the URL of the new resource. The Location header is a first-class HTTP mechanism for communicating where a newly created resource lives. Including it allows clients to immediately follow up with GET /api/orders/{id} without parsing the response body to find the ID. Some hypermedia API designs include the full resource URL in the body as a self link — providing both the Location header and the body link is redundant but harmless and maximally compatible.

Ignoring Retry-After on 429 and 503 responses causes clients to implement exponential backoff with arbitrary starting intervals when the server has told them exactly how long to wait. The Retry-After header is either a number of seconds or an HTTP date. Reading this value and waiting before retrying respects the server's capacity signals and recovers from rate limiting as quickly as possible. Ignoring it and using fixed backoff intervals either waits too long (slowing recovery) or retries too soon (making the rate limit situation worse).

Define a status code convention for your API before writing the first handler, not after. Agree on which codes you use for each situation and document them in your API specification. Consistency across endpoints matters more than any individual choice being theoretically perfect. A team that always uses 400 for validation errors and 422 for business rule violations is easier to work with than a team that uses them interchangeably depending on who wrote the handler.

Return structured error bodies alongside every error status code. The body should include at minimum a machine-readable error code string and a human-readable message. For 422 errors, include a errors array with field-level details so clients can show inline form validation messages. For 429 errors, include the reset time and current limits alongside the Retry-After header. Consistent error body structure across all endpoints is as important as consistent status codes — it lets clients write a single error handler that works for every endpoint.

Use the WWW-Authenticate header on every 401 response. RFC 7235 requires it, and many HTTP client libraries use its presence to trigger automatic authentication flows. The minimal value is WWW-Authenticate: Bearer realm="api" for JWT-based APIs. Including it costs nothing and enables standard HTTP authentication negotiation for clients that support it.

Test every API endpoint's error behavior explicitly in your test suite. For each endpoint, test the success case, the missing required field case, the invalid value case, the unauthenticated case, and the unauthorized case. Assert the status code, not just the body content. A test that only checks the success response body will not catch a regression where an error handler starts returning 500 instead of 400. Make status code correctness a first-class testing concern.

Monitor the distribution of status codes in production as a health metric. A sudden increase in 4xx rates may indicate a client bug or a breaking API change. A sudden increase in 5xx rates indicates a server problem. An increase in 429 rates indicates traffic spikes that may require capacity planning. Use /tools/http-request-builder to reproduce specific requests that are generating unexpected status codes in production — this is faster than adding debug logging and redeploying. Pair this with /tools/cors-tester when CORS-related errors accompany the status code issues.