Status Code Classes
- 1xx — Informational: Rarely seen in application code. 101 Switching Protocols used for WebSocket upgrades.
- 2xx — Success: The request succeeded.
- 3xx — Redirection: The client must take further action.
- 4xx — Client Error: The request is wrong — client should fix it.
- 5xx — Server Error: The server failed — client may retry.
2xx Success Codes
200 OK — Generic success. GET, PUT, PATCH responses.
201 Created — Resource created. POST responses. Include Location header.
202 Accepted — Request queued for async processing. Body = job ID.
204 No Content — Success, no response body. DELETE responses.
206 Partial Content — Range request response. Used for resumable downloads.Common mistake: Returning 200 for a POST that creates a resource — use 201 and include a Location: /resources/123 header so clients know where the new resource lives.
3xx Redirect Codes
301 Moved Permanently — URL has changed forever. Browsers and bots cache this.
302 Found — Temporary redirect. Not cached. Most common for auth flows.
303 See Other — After POST, redirect to GET. POST/Redirect/GET pattern.
304 Not Modified — Cache is valid; no body returned. Used with ETags.
307 Temporary Redirect — Like 302, but preserves HTTP method (POST stays POST).
308 Permanent Redirect — Like 301, but preserves HTTP method.301 vs 302: Use 301 for permanently moved pages (SEO: passes link equity). Use 302 for temporary redirects, maintenance pages, and auth redirects.
302 vs 307: 302 may change POST to GET (legacy browser behavior). Use 307 when you need to maintain the method — e.g., redirecting a POST from HTTP to HTTPS.
4xx Client Error Codes
400 Bad Request — Malformed syntax, invalid JSON, missing required field.
401 Unauthorized — Missing or invalid authentication credentials.
403 Forbidden — Authenticated but not authorized for this resource.
404 Not Found — Resource doesn't exist (or you don't want to reveal it exists).
405 Method Not Allowed — GET on a POST-only endpoint.
409 Conflict — State conflict: duplicate email, optimistic locking failure.
410 Gone — Resource existed but was permanently deleted.
422 Unprocessable Entity — Valid syntax but semantic validation failed.
429 Too Many Requests — Rate limit exceeded. Include Retry-After header.401 vs 403: 401 means "I don't know who you are — authenticate first". 403 means "I know who you are, but you can't do this". If a resource shouldn't reveal its existence to unauthorized users, return 404 instead of 403.
400 vs 422: 400 = the request is syntactically broken (can't parse the JSON). 422 = the request was understood but the data is semantically invalid (email format wrong, age is negative).
5xx Server Error Codes
500 Internal Server Error — Unhandled exception. Generic fallback.
501 Not Implemented — Feature not yet built.
502 Bad Gateway — Upstream service returned invalid response (proxy/LB sees this).
503 Service Unavailable — Server is overloaded or in maintenance. Include Retry-After.
504 Gateway Timeout — Upstream service timed out.
507 Insufficient Storage — Server ran out of disk space.502 vs 504: Both occur at the proxy/load balancer layer. 502 = upstream returned garbage. 504 = upstream didn't respond in time.
REST API Status Code Guide
GET /resources → 200 OK (with array)
GET /resources/:id → 200 OK | 404 Not Found
POST /resources → 201 Created | 400 Bad Request | 409 Conflict
PUT /resources/:id → 200 OK | 404 Not Found | 422 Unprocessable Entity
PATCH /resources/:id → 200 OK | 404 Not Found
DELETE /resources/:id → 204 No Content | 404 Not FoundLook Up Status Codes Instantly
Use ToolsVito's HTTP Status Code Reference to search and browse all status codes with descriptions, use cases, and headers — directly in your browser.