What's the difference between 401 and 403?

401 means "who are you?" (unauthenticated — no valid credentials provided). 403 means "I know who you are, but you can't do this" (authenticated but unauthorized). Misnamed in the spec: 401 should really be called Unauthenticated.

When should I use 422 vs 400?

400 is for syntactic problems: malformed JSON, missing required field, invalid query parameter type. 422 is for semantic problems: valid input but business logic rejects it (e.g. "start date must be before end date"). Stripe, GitHub, and most modern APIs use 422 for validation errors.

What's the difference between 301 and 308?

Both are permanent redirects, but 301 historically allowed clients to change the HTTP method (POST → GET) when following. 308 explicitly preserves the method. Use 308 if your endpoint accepts POST and the new URL also expects POST.

Should I use 404 or 410?

404 means "does not exist now" (might come back). 410 means "permanently gone, don't come back." Google removes 410 pages from its index faster than 404 — useful for deprecating endpoints you want de-indexed quickly.

Why does my client get an error on 204 responses?

204 means "no content" and forbids a response body. Some HTTP libraries (including fetch) treat any body in a 204 as a protocol error. If you're returning 204, make sure your framework isn't auto-serializing an empty object — return truly nothing.

HTTP Status Code Reference

Searchable reference for every HTTP status code with plain-English summaries and the gotchas devs actually hit: 301 vs 308, 401 vs 403, 404 vs 410, 400 vs 422.

1xx — Informational

100ContinueRFC 9110
Server received the request headers and the client should proceed sending the body. Triggered by Expect: 100-continue header.
▸Show detailsHide details
When to return
Almost never manually — your HTTP framework handles this automatically when a client sends Expect: 100-continue. You'd only emit it yourself in low-level proxy code.
Example response
```
HTTP/1.1 100 Continue
```
Related codes
101Switching ProtocolsRFC 9110
Server agrees to switch protocols (e.g. HTTP to WebSocket) per the Upgrade header.
▸Show detailsHide details
When to return
When implementing a WebSocket server or HTTP/2 upgrade. Almost always emitted by a library, not your code.
Example response
```
HTTP/1.1 101 Switching Protocols
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Accept: s3pPLMBiTxaQ9kYGzzhZRbK+xOo=
```
Related codes
102ProcessingRFC 2518rarely seen
WebDAV interim response indicating the server is still working on the request. Deprecated by RFC 4918.
▸Show detailsHide details
When to return
Don't. It's WebDAV-specific and effectively obsolete — use 202 Accepted for async work.
Related codes
103Early HintsRFC 8297
Lets the server send preload hints before the final response — used to pre-warm fonts, scripts, etc.
▸Show detailsHide details
When to return
When you know the final response will need specific assets (CSS, fonts, scripts) but computing it will take time. Lets the browser start fetching those while your server thinks. Supported by Cloudflare, Fastly, modern browsers.
Example response
```
HTTP/1.1 103 Early Hints
Link: </styles.css>; rel=preload; as=style
Link: </app.js>; rel=preload; as=script

HTTP/1.1 200 OK
Content-Type: text/html
...
```
Related codes

2xx — Success

200OKRFC 9110
Standard success. Response body contains the requested representation.
▸Show detailsHide details
When to return
For successful GET (returning the resource), successful PUT/PATCH that updates an existing resource (and you want to return the new state), and most other happy-path responses that have a body.
Example response
```
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 42

{"id":1,"name":"Alice","email":"a@ex.com"}
```
Related codes
201CreatedRFC 9110
Request succeeded and a new resource was created. Location header should point to the new resource.
Gotcha: Use for POST that creates a resource. For PUT that creates, also 201; for PUT that updates, 200 or 204.
▸Show detailsHide details
When to return
After a POST or PUT that creates a new resource. Always include the Location header pointing to the new URL; optionally include the new resource in the body.
Example response
```
HTTP/1.1 201 Created
Location: /api/users/42
Content-Type: application/json

{"id":42,"name":"Alice"}
```
Related codes
202AcceptedRFC 9110
Request accepted for processing but not yet completed. Used for async jobs.
Gotcha: The response body should describe how the client can check the job's status (e.g. a polling URL).
▸Show detailsHide details
When to return
For long-running operations you've queued — video transcoding, report generation, batch jobs. Return immediately with a status URL the client can poll.
Example response
```
HTTP/1.1 202 Accepted
Content-Type: application/json
Location: /api/jobs/abc123

{"jobId":"abc123","status":"queued","statusUrl":"/api/jobs/abc123"}
```
Related codes
203Non-Authoritative InformationRFC 9110rarely seen
Success, but the response was modified by an intermediary (typically a transforming proxy).
▸Show detailsHide details
When to return
Almost never from application code — used by transforming proxies. If you're writing a proxy that strips ads or modifies content, set this instead of 200.
Related codes
204No ContentRFC 9110
Success with no response body. Common for DELETE and for PUT that updates.
Gotcha: If you return 204, do NOT include a body — some clients (including fetch) will reject the response.
▸Show detailsHide details
When to return
After a successful DELETE, or PUT/PATCH where you don't need to return the updated state. Also for endpoints called for side effects (form submissions, telemetry events) where the response body would be wasted bandwidth.
Example response
```
HTTP/1.1 204 No Content
Date: Sun, 24 May 2026 12:00:00 GMT
(no body)
```
Related codes
205Reset ContentRFC 9110rarely seen
Success; tells the client to reset the document view (e.g. clear a form after submission).
▸Show detailsHide details
When to return
Browser form submissions where you want the form cleared but no page reload. Rarely used in modern web apps — JS handles this client-side.
Related codes
206Partial ContentRFC 9110
Response to a Range request — server returned only the bytes the client asked for. Used by video players and download resumption.
▸Show detailsHide details
When to return
When you support Range requests on large files (videos, downloads, large datasets) and the client sent a Range header. Required to support seeking in HTML5 video.
Example response
```
HTTP/1.1 206 Partial Content
Content-Type: video/mp4
Content-Range: bytes 1024-2047/100000
Content-Length: 1024

(binary bytes 1024-2047)
```
Related codes
226IM UsedRFC 3229rarely seen
Response represents a delta from a previous state, not the full resource. Niche to specific replication protocols.
▸Show detailsHide details
When to return
Don't, unless you're implementing RFC 3229 delta encoding. Not supported by mainstream clients.
Related codes

3xx — Redirect

300Multiple ChoicesRFC 9110rarely seen
The requested resource has multiple representations and the user/client should pick one.
▸Show detailsHide details
When to return
Rarely — modern content negotiation uses Accept headers and 200/406 instead. Some servers use this for language picker pages.
Related codes
301Moved PermanentlyRFC 9110
Resource has permanently moved to the URL in the Location header. Search engines update their index.
Gotcha: Many clients change POST to GET when following 301. Use 308 if you need to preserve the method.
▸Show detailsHide details
When to return
When a URL has permanently changed and you want SEO to follow. Use for renamed pages, restructured URL paths, http→https redirects. Crawlers will update their index over time.
Example response
```
HTTP/1.1 301 Moved Permanently
Location: https://example.com/new-path
Content-Length: 0
```
Related codes
302FoundRFC 9110
Temporary redirect. Originally "Moved Temporarily".
Gotcha: Same method-changing behavior as 301 in practice. Use 307 if you specifically need to preserve POST.
▸Show detailsHide details
When to return
When the redirect is temporary — A/B test variants, maintenance pages, geo-redirects. Crawlers won't update their index.
Example response
```
HTTP/1.1 302 Found
Location: /login
Set-Cookie: returnTo=/dashboard; Path=/
```
Related codes
303See OtherRFC 9110
Redirect that ALWAYS changes the request method to GET. Classic post-redirect-get pattern after form submission.
▸Show detailsHide details
When to return
After a successful POST when you want the browser to GET a result page (post-redirect-get pattern, prevents form re-submission on refresh).
Example response
```
HTTP/1.1 303 See Other
Location: /orders/12345/confirmation
```
Related codes
304Not ModifiedRFC 9110
Cache hit — the version the client has (per If-Modified-Since / If-None-Match) is still current. No body returned.
▸Show detailsHide details
When to return
Automatically by your framework or CDN when the client's If-None-Match or If-Modified-Since matches the resource's current ETag/Last-Modified. You rarely write this manually.
Example response
```
HTTP/1.1 304 Not Modified
ETag: "abc123"
Cache-Control: max-age=3600
(no body)
```
Related codes
307Temporary RedirectRFC 9110
Like 302 but the HTTP method MUST NOT change. POST stays POST when following.
▸Show detailsHide details
When to return
Temporary redirects where the client must re-submit the same method (e.g. POST forwarded to a regional endpoint). Common in API gateways.
Example response
```
HTTP/1.1 307 Temporary Redirect
Location: https://eu-api.example.com/v1/orders
```
Related codes
308Permanent RedirectRFC 9110
Like 301 but the HTTP method MUST NOT change. The modern way to permanently redirect a POST endpoint.
Gotcha: Older clients (curl 7.x, some bots) don't support 308. Stick to 301 for max compatibility unless you specifically need to preserve POST.
▸Show detailsHide details
When to return
Permanent redirects on API endpoints where POST/PUT/DELETE bodies must be re-sent. Use 301 instead for browser-facing pages where method-preservation doesn't matter.
Example response
```
HTTP/1.1 308 Permanent Redirect
Location: /api/v2/users
```
Related codes

4xx — Client Error

400Bad RequestRFC 9110
Request is malformed — bad JSON, missing required field, invalid syntax. The client should fix the request before retrying.
Gotcha: Don't use 400 for "valid request but business logic rejection." That's 422.
▸Show detailsHide details
When to return
When the request itself is broken: malformed JSON, missing required parameter, invalid query string. Use 422 instead when the syntax is fine but the values fail business rules.
Example response
```
HTTP/1.1 400 Bad Request
Content-Type: application/json

{"error":"Invalid JSON: unexpected token at position 14"}
```
Related codes
401UnauthorizedRFC 9110
Misnamed — should be "Unauthenticated." The client has not provided valid credentials.
Gotcha: 401 = "who are you?" 403 = "I know who you are, you can't do this." Confusing these breaks UX.
▸Show detailsHide details
When to return
When no credentials were sent, the token is missing/expired/malformed, or the API key is invalid. Always include a WWW-Authenticate header indicating how to authenticate.
Example response
```
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer realm="api"
Content-Type: application/json

{"error":"Token expired","authUrl":"/login"}
```
Related codes
402Payment RequiredRFC 9110rarely seen
Reserved for future use. Some APIs (Stripe historically) returned it for payment-related errors.
▸Show detailsHide details
When to return
Generally don't — it's reserved by the spec. If you need to signal billing issues, use 403 with a specific error message in the body.
Related codes
403ForbiddenRFC 9110
Client is authenticated but doesn't have permission for this resource.
Gotcha: Some APIs use 404 instead of 403 to avoid revealing which resources exist. Defensible for security-sensitive endpoints.
▸Show detailsHide details
When to return
User is authenticated but lacks permission — wrong role, accessing another user's data, attempting an admin-only action.
Example response
```
HTTP/1.1 403 Forbidden
Content-Type: application/json

{"error":"Insufficient permissions","required":"admin"}
```
Related codes
404Not FoundRFC 9110
The requested resource does not exist (or the server won't say if it does).
Gotcha: Means "does not exist NOW." If a resource used to exist and is permanently gone, 410 is more accurate.
▸Show detailsHide details
When to return
Resource genuinely doesn't exist, or you want to hide its existence from unauthorized users (treating 403 as 404 for privacy).
Example response
```
HTTP/1.1 404 Not Found
Content-Type: application/json

{"error":"User not found"}
```
Related codes
405Method Not AllowedRFC 9110
The resource exists but doesn't support this HTTP method.
Gotcha: Response MUST include an Allow header listing supported methods, e.g. Allow: GET, POST.
▸Show detailsHide details
When to return
Client used the wrong method on a valid URL — e.g. POST to a read-only endpoint. Always include Allow header.
Example response
```
HTTP/1.1 405 Method Not Allowed
Allow: GET, HEAD
Content-Type: application/json

{"error":"DELETE not supported on this resource"}
```
Related codes
406Not AcceptableRFC 9110
Server can't produce a response matching the client's Accept header.
▸Show detailsHide details
When to return
Rare. Client demanded a specific format (Accept: application/xml) you don't support. In practice most APIs ignore Accept and just return JSON.
Example response
```
HTTP/1.1 406 Not Acceptable
Content-Type: application/json

{"error":"Only application/json is supported","supportedTypes":["application/json"]}
```
Related codes
407Proxy Authentication RequiredRFC 9110rarely seen
Like 401 but the credentials are required by a proxy between client and server, not the server itself.
▸Show detailsHide details
When to return
Only from HTTP proxies — you wouldn't emit this from an application server.
Related codes
408Request TimeoutRFC 9110
Client took too long to send the full request. Server's giving up.
Gotcha: Different from 504 Gateway Timeout — that's an upstream server taking too long, not the client.
▸Show detailsHide details
When to return
Web server emits this automatically when the client opens a connection but stops sending data. You rarely write this manually.
Related codes
409ConflictRFC 9110
Request conflicts with current state — e.g. trying to create a resource that already exists, or a version mismatch.
▸Show detailsHide details
When to return
POST creating a duplicate (e.g. username already taken), PUT with a stale ETag, deleting a resource that has dependents.
Example response
```
HTTP/1.1 409 Conflict
Content-Type: application/json

{"error":"Email already registered","conflictingResource":"/users/42"}
```
Related codes
410GoneRFC 9110
Resource permanently removed. Use instead of 404 when you want to tell crawlers and clients "don't come back."
Gotcha: Google removes 410 pages from index faster than 404. Use it for deprecated endpoints you want de-indexed.
▸Show detailsHide details
When to return
Deprecated API endpoints you've fully shut down, deleted user accounts you don't want re-created, old URLs you want removed from search engines.
Example response
```
HTTP/1.1 410 Gone
Content-Type: application/json

{"error":"This API was retired on 2026-01-01. Migrate to /v2/."}
```
Related codes
411Length RequiredRFC 9110rarely seen
Server requires a Content-Length header on the request and the client didn't send one.
▸Show detailsHide details
When to return
Rare; HTTP/1.1 servers accept chunked transfer encoding instead. Only needed by some legacy systems.
Related codes
412Precondition FailedRFC 9110
An If-Match / If-Unmodified-Since precondition failed. Used for optimistic concurrency control.
▸Show detailsHide details
When to return
PUT or PATCH where the client sent If-Match: "abc123" but the current ETag is different — someone else modified the resource since the client last read it.
Example response
```
HTTP/1.1 412 Precondition Failed
ETag: "def456"
Content-Type: application/json

{"error":"Resource modified by another request","currentEtag":"def456"}
```
Related codes
413Content Too LargeRFC 9110
Request body exceeds the server's size limit. Previously "Payload Too Large."
▸Show detailsHide details
When to return
File upload too big, JSON body over your size limit. Always document your size limits in your API docs — clients can't infer them.
Example response
```
HTTP/1.1 413 Content Too Large
Content-Type: application/json

{"error":"Maximum upload size is 10MB","received":52428800}
```
Related codes
414URI Too LongRFC 9110rarely seen
Request URI exceeds the server's limit. Typically a GET with way too much in the query string.
▸Show detailsHide details
When to return
Almost never manually — your web server enforces this. If you're hitting it intentionally, switch the endpoint to POST with a body.
Related codes
415Unsupported Media TypeRFC 9110
Request body is in a format the server doesn't accept — wrong Content-Type.
▸Show detailsHide details
When to return
Client sent application/xml when you only handle JSON, or sent multipart form data to an endpoint that expects raw JSON. Include the supported types in the response.
Example response
```
HTTP/1.1 415 Unsupported Media Type
Content-Type: application/json
Accept: application/json

{"error":"Content-Type must be application/json"}
```
Related codes
416Range Not SatisfiableRFC 9110
Client requested a byte range outside the resource's actual size.
▸Show detailsHide details
When to return
Automatically when you support Range requests and the client asks for bytes beyond end-of-file. Web server usually handles this.
Related codes
418I'm a TeapotRFC 2324
Joke status from a 1998 April Fools RFC. Some services return it for blocked requests as easter eggs.
▸Show detailsHide details
When to return
Don't return it from a real API — it's a joke. Some bot-blocking systems use it for honeypot responses.
Example response
```
HTTP/1.1 418 I'm a teapot
Content-Type: text/plain

I'm a little teapot, short and stout.
```
421Misdirected RequestRFC 9110rarely seen
Request was sent to a server that can't produce a response for this URL/authority. Common with HTTP/2 connection coalescing.
▸Show detailsHide details
When to return
Almost never from application code; emitted by load balancers and HTTP/2 servers handling multi-host connections.
Related codes
422Unprocessable ContentRFC 9110
Request is syntactically valid but semantically invalid — e.g. valid JSON but the values fail business rules.
Gotcha: The right code for validation errors when 400 feels too generic. Stripe, GitHub, and most modern APIs use this.
▸Show detailsHide details
When to return
Form validation failures: required field missing, value out of range, end-date-before-start-date, email already exists. The request was well-formed but rejected on its content.
Example response
```
HTTP/1.1 422 Unprocessable Content
Content-Type: application/json

{"errors":[{"field":"email","message":"Already taken"},{"field":"age","message":"Must be >= 18"}]}
```
Related codes
423LockedRFC 4918rarely seen
Resource is locked (WebDAV). Borrowed by some APIs for "this resource is currently being edited by someone else."
▸Show detailsHide details
When to return
Collaborative editing scenarios where only one user can write at a time. Most modern APIs use 409 Conflict or 423 with a custom body explaining who has the lock.
Related codes
424Failed DependencyRFC 4918rarely seen
Request failed because a previous request it depended on failed (WebDAV).
▸Show detailsHide details
When to return
Batch APIs where step N failed because step N-1 failed. Most APIs handle this with their own error structure rather than this code.
Related codes
425Too EarlyRFC 8470rarely seen
Server unwilling to risk processing a request that might be replayed (used in TLS 0-RTT contexts).
▸Show detailsHide details
When to return
Only relevant for TLS 1.3 0-RTT-enabled servers protecting against replay attacks. Library/server config concern, not application code.
Related codes
426Upgrade RequiredRFC 9110rarely seen
Server refuses to handle this protocol version and wants the client to switch (e.g. HTTP/1.0 → HTTP/2).
▸Show detailsHide details
When to return
When you've dropped support for older HTTP versions. Must include an Upgrade header listing what to switch to.
Related codes
428Precondition RequiredRFC 6585
Server requires conditional requests (If-Match etc.) to prevent lost-update problems on PUT/PATCH.
▸Show detailsHide details
When to return
When an unconditional PUT/PATCH on a frequently-modified resource would risk overwriting concurrent edits. Forces clients to use If-Match with ETags.
Example response
```
HTTP/1.1 428 Precondition Required
Content-Type: application/json

{"error":"This endpoint requires If-Match header","example":"If-Match: \"abc123\""}
```
Related codes
429Too Many RequestsRFC 6585
Rate limit exceeded. Response should include a Retry-After header.
Gotcha: Retry-After can be a number of seconds or an HTTP date. Modern clients handle both, but check what your client library does.
▸Show detailsHide details
When to return
Always when rate-limiting. Always include Retry-After (seconds preferred). Including X-RateLimit-Remaining and X-RateLimit-Reset headers on regular responses helps clients self-throttle.
Example response
```
HTTP/1.1 429 Too Many Requests
Retry-After: 60
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 1716552000
Content-Type: application/json

{"error":"Rate limit exceeded, retry in 60s"}
```
Related codes
431Request Header Fields Too LargeRFC 6585
Individual header too large or total header section too large.
▸Show detailsHide details
When to return
Almost never manually — your web server enforces header size limits. Often surfaces when cookies grow too large or auth tokens are appended to existing tokens.
Related codes
451Unavailable For Legal ReasonsRFC 7725
Resource blocked due to legal demand (court order, government censorship). The number is a Fahrenheit 451 reference.
▸Show detailsHide details
When to return
Geoblocking by legal requirement, DMCA-takedown'd content, GDPR-erased resources. Should include a Link header pointing to information about the blocking authority.
Example response
```
HTTP/1.1 451 Unavailable For Legal Reasons
Link: <https://example.com/legal-notice>; rel="blocked-by"
Content-Type: application/json

{"error":"Unavailable in your region due to GDPR request"}
```
Related codes

5xx — Server Error

500Internal Server ErrorRFC 9110
Generic catchall — the server hit a condition it couldn't handle. The client did nothing wrong.
Gotcha: Don't leak stack traces in production. Log the detail server-side, return a generic message.
▸Show detailsHide details
When to return
When something unexpected blew up in your code. If you can describe the problem more specifically (e.g. database down, upstream service failed), use a more specific 5xx code instead.
Example response
```
HTTP/1.1 500 Internal Server Error
Content-Type: application/json

{"error":"An unexpected error occurred","requestId":"req_abc123"}
```
Related codes
501Not ImplementedRFC 9110
Server doesn't support this HTTP method at all (any URL). Different from 405, which is method-not-allowed for a specific resource.
▸Show detailsHide details
When to return
Server only understands GET and HEAD, client sent PATCH. Almost never seen in modern frameworks which support all methods by default.
Related codes
502Bad GatewayRFC 9110
Server (acting as gateway/proxy) got an invalid response from an upstream server.
▸Show detailsHide details
When to return
Your load balancer / reverse proxy got a malformed response from your backend (5xx, connection refused, garbage bytes). Usually emitted by Nginx / Cloudflare, not application code.
Example response
```
HTTP/1.1 502 Bad Gateway
Content-Type: application/json

{"error":"Upstream service returned invalid response"}
```
Related codes
503Service UnavailableRFC 9110
Server is temporarily down — overloaded, in maintenance, etc. Include Retry-After if you can estimate.
Gotcha: Different from 502: 503 means the server itself is choosing not to respond; 502 means an upstream did something wrong.
▸Show detailsHide details
When to return
Planned maintenance, queue depth exceeded, circuit breaker open, database connection pool exhausted. The right code for "we know we're down, retry later."
Example response
```
HTTP/1.1 503 Service Unavailable
Retry-After: 120
Content-Type: application/json

{"error":"Service in maintenance until 14:00 UTC"}
```
Related codes
504Gateway TimeoutRFC 9110
Server (acting as gateway) didn't get a timely response from an upstream service.
▸Show detailsHide details
When to return
Reverse proxy or API gateway waited too long for the backend. Usually emitted by Nginx/Cloudflare/Envoy when their upstream-timeout fires.
Example response
```
HTTP/1.1 504 Gateway Timeout
Content-Type: application/json

{"error":"Upstream service timed out after 30s"}
```
Related codes
505HTTP Version Not SupportedRFC 9110rarely seen
Server doesn't support the HTTP protocol version used in the request.
▸Show detailsHide details
When to return
Almost never manually. Server-config level.
Related codes
506Variant Also NegotiatesRFC 2295rarely seen
Server has a configuration error in transparent content negotiation.
▸Show detailsHide details
When to return
Don't. Niche to RFC 2295 transparent content negotiation, effectively unused.
Related codes
507Insufficient StorageRFC 4918
Server has run out of disk space or quota to process the request (originally WebDAV).
▸Show detailsHide details
When to return
User's storage quota exhausted, server's disk full. More specific than 500 when you know the cause is storage.
Example response
```
HTTP/1.1 507 Insufficient Storage
Content-Type: application/json

{"error":"Quota exceeded","used":"10GB","limit":"10GB"}
```
Related codes
508Loop DetectedRFC 5842rarely seen
Server detected an infinite loop while processing the request (WebDAV).
▸Show detailsHide details
When to return
Niche to WebDAV. For general APIs, use 500 with a specific error message.
Related codes
510Not ExtendedRFC 2774rarely seen
Server requires further extensions to the request before it can fulfill it. From a never-adopted HTTP extension framework.
▸Show detailsHide details
When to return
Don't. Effectively dead spec.
511Network Authentication RequiredRFC 6585
The client needs to authenticate to gain network access — used by captive portals ("sign in to airport WiFi").
▸Show detailsHide details
When to return
Only from captive portals (hotel/airport WiFi). Should include a Link header to the auth page. Don't use from a normal API — that's what 401 is for.
Example response
```
HTTP/1.1 511 Network Authentication Required
Content-Type: text/html

<html><body><a href="https://wifi.example.com/login">Sign in to continue</a></body></html>
```
Related codes

How to use the http status code reference

Browse or search HTTP status codes by number, name, or keyword. The gotchas explain the non-obvious distinctions (301 vs 308, 401 vs 403, 404 vs 410, 400 vs 422) that trip up most API designs.

Formula & explanation

Status codes are grouped by class: 1xx informational, 2xx success, 3xx redirect, 4xx client error, 5xx server error. RFCs cited point to the current authoritative source (mostly RFC 9110, which superseded the old 7230-7235 series in 2022).

Examples

Search '422' to see the right code for validation errors. Search 'redirect' to compare 301/302/307/308. Search '401' to clarify the auth-vs-permission distinction.

Frequently asked questions

What's the difference between 401 and 403?: 401 means "who are you?" (unauthenticated — no valid credentials provided). 403 means "I know who you are, but you can't do this" (authenticated but unauthorized). Misnamed in the spec: 401 should really be called Unauthenticated.
When should I use 422 vs 400?: 400 is for syntactic problems: malformed JSON, missing required field, invalid query parameter type. 422 is for semantic problems: valid input but business logic rejects it (e.g. "start date must be before end date"). Stripe, GitHub, and most modern APIs use 422 for validation errors.
What's the difference between 301 and 308?: Both are permanent redirects, but 301 historically allowed clients to change the HTTP method (POST → GET) when following. 308 explicitly preserves the method. Use 308 if your endpoint accepts POST and the new URL also expects POST.
Should I use 404 or 410?: 404 means "does not exist now" (might come back). 410 means "permanently gone, don't come back." Google removes 410 pages from its index faster than 404 — useful for deprecating endpoints you want de-indexed quickly.
Why does my client get an error on 204 responses?: 204 means "no content" and forbids a response body. Some HTTP libraries (including fetch) treat any body in a 204 as a protocol error. If you're returning 204, make sure your framework isn't auto-serializing an empty object — return truly nothing.