What's the difference between 401 and 403?

401 Unauthorized means you need to authenticate (missing or invalid credentials). 403 Forbidden means you're authenticated but don't have permission to access this resource.

Should I use 200 for all successful responses?

No. Use 200 for successful GET requests, 201 for resource creation, 204 for successful deletion without response body, and 202 for accepted async operations.

What status code should I return for validation errors?

Use 422 Unprocessable Entity for semantic validation errors (invalid email format, missing required field). Use 400 Bad Request for malformed syntax.

When should I use 500 vs 503?

Use 500 Internal Server Error for unexpected application errors. Use 503 Service Unavailable for planned maintenance or temporary outages (includes Retry-After header).

Is 404 only for missing pages?

No. Use 404 for any resource not found: missing user IDs, deleted articles, non-existent endpoints. It means "the requested resource does not exist."

What Are HTTP Status Codes and What Do They Mean? (200, 404, 500 Explained)

beginner 9 min read September 14, 2025

apiweb development foundationshttphttp status coderest

Every time you make an API call or visit a website, the server responds with more than just data – it sends back a three-digit status code that tells you exactly what happened with your request. These codes are like the server’s way of saying “Success!”, “You made a mistake,” or “Something’s broken on my end.”

Understanding HTTP status codes is crucial for debugging API issues, building robust applications, and creating better user experiences. When your app breaks, these codes are often your first clue about what went wrong and where to look for solutions.

Brief History: Why Status Codes Exist

HTTP status codes were designed in the early 1990s as a standardized way for servers to communicate request outcomes. Rather than forcing developers to parse response messages in different languages, status codes provide a universal numeric language that every HTTP client can understand instantly. The three-digit format allows for logical grouping while leaving room for future expansion.

Status Code Categories

HTTP status codes follow a logical pattern where the first digit indicates the category:

2xx (200-299): Success These status codes indicate that the client’s request was successfully received, understood, and accepted.

Examples: 200 OK, 201 Created, 202 Accepted

3xx (300-399): Redirection These status codes indicate that further action needs to be taken by the client to complete the request.

Examples: 301 Moved, 302 Found

4xx (400-499): Client Error These status codes indicate that the client seems to have made an error in their request.

Examples: 404 Not Found, 409 Conflict, 422 Validation

5xx (500-599): Server Error These status codes indicate that the server failed to fulfill a valid request from the client.

Examples: 500 Internal Error, 502 Bad Gateway, 503 Unavailable

Restaurant Service Analogy

Think of status codes like responses from a restaurant’s order system:

2xx: “Your order is ready!” (Success) ✔️
3xx: “We moved to a new location, go to…” (Redirection) 🏃‍♂️
4xx: “You ordered something not on the menu” (Your mistake) 🚨
5xx: “Our kitchen is broken” (Restaurant’s problem) 🥲

2xx Success Codes

200 OK - Standard Success

When Used: Request succeeded and server is returning requested data.

Client Handling: Process the returned data normally.

API Design: Use for successful GET, PUT, PATCH requests that return data.

201 Created - Resource Created

When Used: New resource was successfully created (typically POST requests).

Client Handling: Extract new resource ID from response or Location header.

API Design: Always use for successful resource creation, include Location header.

202 Accepted - Request Queued for Processing

When Used: Server accepted the request for processing but hasn’t completed it yet.

Client Handling: Poll the status URL or wait for webhook notification to check completion.

API Design: Use for long-running operations, always provide way to check status.

204 No Content - Success Without Data

When Used: Request succeeded but there’s no content to return (often DELETE requests).

Client Handling: Request succeeded, no response data to process.

API Design: Use for successful DELETE operations or updates that don’t return data.

3xx Redirection Codes

301 Moved Permanently - Resource Moved

When Used: Resource has permanently moved to a new URL.

Client Handling: Update bookmarks/links to use new URL.

API Design: Use when permanently changing endpoint URLs, always include Location header.

302 Found - Temporary Redirect

When Used: Resource temporarily available at different URL.

Client Handling: Follow redirect but keep using original URL for future requests.

API Design: Use for temporary relocations or load balancing redirects.

4xx Client Error Codes

400 Bad Request - Invalid Request

When Used: Request syntax is malformed or invalid parameters.

Debugging: Check request format, required fields, parameter types.

Client Handling: Show user-friendly error, validate input before sending.

API Design: Provide specific error details about what’s wrong.

401 Unauthorized - Authentication Required

When Used: Request lacks valid authentication credentials.

Debugging: Check if API key/token is included and valid.

Client Handling: Redirect to login or prompt for credentials.

API Design: Include WWW-Authenticate header with auth method.

403 Forbidden - Access Denied

When Used: Server understood request but refuses to authorize it. This includes both permission denial and resource quota exhaustion.

Debugging:

User is authenticated but lacks permission for this action
User has exhausted their API quota (monthly/daily limit)
Check if quota is exhausted via X-Quota-* headers

Client Handling:

Show “access denied” or “quota exceeded” message based on response
For quota errors: direct user to upgrade page or show reset time
Don’t retry automatically

API Design: Clearly explain why access was denied (permissions vs quota exhaustion).

404 Not Found - Resource Doesn’t Exist

When Used: Requested resource doesn’t exist on the server.

Debugging: Check URL spelling, verify resource ID exists.

Client Handling: Show “not found” message, offer alternative actions.

API Design: Use for missing resources, not for access control.

Exception: Some servers use 404 as a generic response when they don’t want to reveal the specific reason for denying access (security through obscurity). However, this practice can make debugging harder and is generally discouraged in favor of more specific 4xx codes.

422 Unprocessable Entity - Validation Failed

When Used: Request is syntactically correct but semantically invalid.

Debugging: Request format is correct but data doesn’t meet business rules.

Client Handling: Show field-specific validation errors to user.

API Design: Provide detailed field-level error information.

429 Too Many Requests - Rate Limited

When Used: Client is making requests too quickly and has exceeded the per-minute rate limit.

Debugging: Slow down request frequency or implement retry logic with exponential backoff.

Client Handling: Respect Retry-After header, implement exponential backoff, add delays between requests.

API Design: Include Retry-After header with wait time.

Note: This is different from quota exhaustion (403). Rate limits are per-minute restrictions, while quotas (403) are daily/monthly allocations.

403 vs 429: Quota vs Rate Limiting

403 Forbidden (Quota Exhausted)

You’ve used up your monthly/daily quota allocation
Non-temporary - wait for quota reset or upgrade plan
Example: Used 10,000/10,000 monthly requests
Response includes link to upgrade page

429 Too Many Requests (Rate Limited)

You’re making requests too quickly
Temporary - slow down and retry with delays
Example: 201 requests in 1 minute (limit: 200/min)
Implement exponential backoff retry logic

5xx Server Error Codes

500 Internal Server Error - Something’s Broken

When Used: Server encountered unexpected error it can’t handle.

Debugging: Check server logs, this is a server-side issue.

Client Handling: Retry after delay, show generic error message.

API Design: Log detailed errors server-side, return generic message to client.

502 Bad Gateway - Upstream Server Error

When Used: Server acting as gateway received invalid response from upstream server.

Debugging: Problem with load balancer, proxy, or upstream service.

Client Handling: Retry after delay, likely temporary issue.

503 Service Unavailable - Server Temporarily Down

When Used: Server temporarily unable to handle requests (maintenance, overload).

Debugging: Server is intentionally offline or overloaded.

Client Handling: Respect Retry-After header, show maintenance message.

API Design: Use during planned maintenance, include Retry-After header.

520 Web Server Error - Cloudflare Specific

When Used: Cloudflare received invalid or unexpected response from origin server.

Debugging: Issue between Cloudflare and your origin server.

Client Handling: Retry after delay, contact site administrator if persistent.

Note: This is a Cloudflare-specific code, not part of official HTTP standards.

Status Code Best Practices

For API Developers

Be Specific: Use the most accurate status code for each situation
Consistency: Use the same codes for similar situations across your API
Include Error Details: Always provide helpful error messages in response body
Don’t Abuse 200: Don’t return 200 OK for error conditions with error details in body

For API Consumers

Handle Categories: Write code that handles 2xx, 4xx, and 5xx categories appropriately
Respect Rate Limits: Honor 429 responses and Retry-After headers
Retry Logic: Implement smart retries for 5xx errors but not 4xx errors
User Experience: Translate status codes into meaningful messages for users

Debugging with Status Codes

Quick Debugging Guide

2xx codes: Request succeeded, process response
3xx codes: Follow redirects automatically (most HTTP clients do this)
4xx codes: Fix your request (check authentication, parameters, permissions)
5xx codes: Server problem, try again later or contact support

Common Status Code Mistakes

Using Wrong Codes

❌ Wrong: Returning 200 OK with error message in body

⚠️ Why it is wrong: This is confusing to clients as the status code contradicts the response body. Applications expect success for 200 codes, so error handling may be bypassed, creating subtle bugs.

✅ Right: Return appropriate 4xx or 5xx code with error details

Inconsistent Usage

❌ Wrong: Using 404 for missing resources and access denial

⚠️ Why it is wrong: Inconsistent status codes make debugging difficult and confuse users. Clients can’t reliably determine if a resource doesn’t exist or if they lack permission to access it.

✅ Right: Use 404 for missing resources, 403 for access denial

Missing Error Details

❌ Wrong: Just returning status code without explanation

⚠️ Why it is wrong: Without detailed error messages, developers waste time guessing what went wrong. Good error responses should explain the issue and suggest how to fix it.

✅ Right: Include helpful error message and recovery suggestions

Official Resources

For comprehensive status code information, consult these authoritative sources:

RFC 7231 - HTTP/1.1 Semantics: Official HTTP specification
MDN HTTP Status Codes: Developer-friendly documentation
IANA Status Code Registry: Complete official registry

The Bottom Line

HTTP status codes are a universal language for communicating request outcomes between clients and servers. They provide immediate insight into what happened with your request and guide you toward the appropriate response – whether that’s processing successful data, fixing a malformed request, or implementing retry logic for server errors.

Understanding these codes helps you build more robust applications, debug issues faster, and create better user experiences. When something goes wrong with an API call, the status code is usually your first and most important clue about what happened and how to fix it.

Master these numeric messages, and you’ll be fluent in the fundamental feedback system that keeps the web’s communication flowing smoothly.

Continue Your API Journey

Ready to dive deeper?

What is an Endpoint? API Endpoints Explained - Learn about API endpoints, their key components, common patterns and endpoint design best practices.

FAQ

What’s the difference between 401 and 403?

401 Unauthorized means you need to authenticate (missing or invalid credentials). 403 Forbidden means you’re authenticated but don’t have permission to access this resource.
Should I use 200 for all successful responses?

No. Use 200 for successful GET requests, 201 for resource creation, 204 for successful deletion without response body, and 202 for accepted async operations.
What status code should I return for validation errors?

Use 422 Unprocessable Entity for semantic validation errors (invalid email format, missing required field). Use 400 Bad Request for malformed syntax.
When should I use 500 vs 503?

Use 500 Internal Server Error for unexpected application errors. Use 503 Service Unavailable for planned maintenance or temporary outages (includes Retry-After header).
Is 404 only for missing pages?

No. Use 404 for any resource not found: missing user IDs, deleted articles, non-existent endpoints. It means “the requested resource does not exist.”

Olga S.

Founder of NewsDataHub — Distributed Systems & Data Engineering

Connect on LinkedIn