Bad Request
4xx Client Error
Last updated:
The server cannot process the request due to a client error (malformed syntax, invalid framing, etc.).
Description
The generic 'client screwed up' code. In practice, many APIs also use 400 for domain validation errors, though 422 Unprocessable Entity is a better fit for semantically-invalid but syntactically-valid input.
When to use
Return 400 for malformed JSON, missing required parameters, or invalid header formats.
Common pitfalls
Avoid returning 400 for authentication failures (use 401) or authorization failures (use 403).
Specification
RFC 9110 §15.5.1
Examples
HTTP/1.1 400 Bad Request
Content-Type: application/json
{"error":"Bad Request"}res.status(400).json({ error: "Bad Request" });w.WriteHeader(http.StatusBadRequest)
return jsonify({"error": "Bad Request"}), 400Related status codes
Unauthorized
Authentication is required and has not been provided, or provided credentials are invalid.
Forbidden
The server understood the request and the client is authenticated, but access is refused.
Unprocessable Entity
The request is well-formed but contains semantic errors and cannot be processed.