HTTP status codes are three-digit numbers returned by a server in response to a client’s request, indicating whether the request succeeded, failed, or requires further action. They’re grouped into five classes based on the first digit.
The five classes
1xx — Informational: The request was received, processing continues.
100 Continue: The server has received the headers; the client should send the body.101 Switching Protocols: Upgrading to WebSocket, for example.
2xx — Success: The request was received, understood, and accepted.
200 OK: Standard success response.201 Created: A resource was successfully created (common for POST requests).204 No Content: Success, but no body to return (common for DELETE).
3xx — Redirection: Further action is needed to complete the request.
301 Moved Permanently: Resource has a new permanent URL. Search engines transfer ranking.302 Found: Temporary redirect. The original URL should still be used.304 Not Modified: Cached version is still valid. No body sent.
4xx — Client Error: The request contains an error on the client’s side.
400 Bad Request: Malformed syntax or invalid parameters.401 Unauthorized: Authentication required (or failed).403 Forbidden: Authenticated but not authorized for this resource.404 Not Found: The resource doesn’t exist.405 Method Not Allowed: The HTTP method isn’t supported for this endpoint.409 Conflict: Request conflicts with the current state (e.g., duplicate resource).429 Too Many Requests: Rate limit exceeded.
5xx — Server Error: The server failed to fulfill a valid request.
500 Internal Server Error: Generic server-side failure.502 Bad Gateway: An upstream server returned an invalid response.503 Service Unavailable: Server is overloaded or down for maintenance.504 Gateway Timeout: An upstream server didn’t respond in time.
Status codes developers hit most
In practice, you’ll encounter 200, 201, 204, 301, 400, 401, 403, 404, 500, and 502 constantly. Know what each one means and how to handle it on both the client and server side.
401 vs. 403
This distinction confuses many developers. 401 Unauthorized actually means “unauthenticated” — the server doesn’t know who you are. 403 Forbidden means the server knows who you are but you don’t have permission. A request without credentials gets 401; a request with valid credentials but insufficient privileges gets 403.
REST API conventions
RESTful APIs use status codes deliberately: 201 with a Location header for created resources, 204 for successful deletions, 422 Unprocessable Entity for validation errors. Avoid returning 200 for everything with an error message in the body — that breaks HTTP semantics and makes debugging harder.
Look up any status code with the HTTP Status Codes reference, search by description with the Status Code Finder, or debug specific errors with the HTTP Error Lookup.