DevKits

HTTP Status Codes Reference

Complete reference of HTTP status codes with meanings, use cases, and RFC citations. Search 60+ codes from 100 Continue to 511 Network Authentication Required.

Last updated:

Click any code for full documentation with RFC citations, use cases, common pitfalls, and related codes.

1xx Informational

Preliminary responses that convey the request has been received and understood.

2xx Success

The request was successfully received, understood, and accepted.

3xx Redirection

Further action needs to be taken to complete the request.

4xx Client Error

The request contains bad syntax or cannot be fulfilled by the server.

400

Bad Request

The server cannot process the request due to a client error (malformed syntax, invalid framing, etc.).

401

Unauthorized

Authentication is required and has not been provided, or provided credentials are invalid.

403

Forbidden

The server understood the request and the client is authenticated, but access is refused.

404

Not Found

The server has not found anything matching the requested URL.

405

Method Not Allowed

The HTTP method is known but not supported for this specific URL.

406

Not Acceptable

The server cannot produce a response matching the Accept headers sent by the client.

408

Request Timeout

The server did not receive a complete request within the time it was prepared to wait.

409

Conflict

The request conflicts with the current state of the resource.

410

Gone

The resource is no longer available and has been permanently removed.

411

Length Required

The server refuses to accept the request without a Content-Length header.

412

Precondition Failed

A precondition given in the request headers (e.g. If-Match) evaluated to false.

413

Payload Too Large

The request body is larger than the server is willing or able to process.

414

URI Too Long

The URL is longer than the server is willing to interpret.

415

Unsupported Media Type

The server refuses to process the request because the payload format is unsupported.

418

I'm a teapot

The server refuses to brew coffee because it is, permanently, a teapot.

422

Unprocessable Entity

The request is well-formed but contains semantic errors and cannot be processed.

425

Too Early

The server is unwilling to risk processing a request that might be replayed (used with TLS 0-RTT).

428

Precondition Required

The server requires the request to be conditional (e.g. include If-Match).

429

Too Many Requests

The client has sent too many requests in a given amount of time (rate limited).

431

Request Header Fields Too Large

The server is unwilling to process the request because header fields are too large.

451

Unavailable For Legal Reasons

The resource is unavailable due to legal demands (censorship, DMCA, GDPR).

5xx Server Error

The server failed to fulfill a valid request.

What is HTTP Status Codes?

HTTP status codes are three-digit numbers a server returns to tell the client how a request went. They're grouped into five classes: 1xx (informational), 2xx (success), 3xx (redirection), 4xx (client errors), and 5xx (server errors). Knowing the exact meaning of each code — and choosing the right one in your own APIs — is fundamental to building correct, debuggable web services. This reference covers 60+ codes with meanings, use cases, and RFC citations.

Use Cases

Design correct REST APIs

Return the semantically right code (201 for created, 204 for no content, 422 for validation) so clients can react properly.

Debug failing requests

Look up an unfamiliar code (like 409, 425, or 451) to understand why a request was rejected.

Configure redirects and caching

Choose between 301/302/307/308 and understand 304 Not Modified when tuning redirects and cache behavior.

Key Concepts

The five classes
1xx informational, 2xx success, 3xx redirection, 4xx client error, 5xx server error. The first digit tells you the category at a glance.
400 vs 422
400 Bad Request is for syntactic problems (malformed JSON, missing params). 422 Unprocessable Entity is for semantic/validation errors on well-formed input.
401 vs 403
401 Unauthorized means 'not authenticated' (who are you?). 403 Forbidden means 'authenticated but not allowed' (I know you, but no).
Idempotent redirects
307 and 308 preserve the HTTP method and body; 301 and 302 historically let clients switch to GET. Use 307/308 to safely redirect POST/PUT.

Tips & Best Practices

  • Return 201 Created with a Location header when a POST creates a resource — not a bare 200.
  • Use 429 Too Many Requests with a Retry-After header for rate limiting so clients back off correctly.
  • Prefer 308 over 301 when redirecting non-GET endpoints to avoid method downgrade.
  • Never return 200 with an error message in the body — clients and monitoring rely on the status code.

Frequently Asked Questions

Which HTTP status code should I return for a validation error?

422 Unprocessable Entity is the best fit for semantic validation errors (the input parsed correctly but violates business rules). Use 400 Bad Request for syntactic errors (malformed JSON, missing required parameters).

301 vs 302 vs 307 vs 308 — what's the difference?

301 = permanent (may change method to GET). 302 = temporary (may change method to GET). 307 = temporary, method-preserving. 308 = permanent, method-preserving. For permanent redirects of non-GET endpoints, prefer 308. For temporary redirects that must preserve POST/PUT, prefer 307.

Should I use 401 or 403 for permission denied?

401 = 'I don't know who you are' (missing or invalid credentials). 403 = 'I know who you are, but you can't do this' (authenticated but not authorized). If a valid user hits a resource they don't own, return 403.

Related Tools