Understanding HTTP Status Codes Every Developer Should Know (With Real API Examples)
If you've ever integrated an API, you've almost certainly encountered responses like 200 OK, 404 Not Found, or 500 Internal Server Error.
At first, these numbers can seem confusing. But once you understand what each status code means, debugging becomes much easier.
In this article, we'll explore the most common HTTP status codes, when they're returned, and how to respond to them as a developer.
What Are HTTP Status Codes?
HTTP status codes are standardized responses sent by a server after it receives a request from a client (such as a web browser, mobile app, or frontend application).
Every response contains two important pieces of information:
- The status code
- The response body (if any)
Example:
HTTP/1.1 200 OK
Content-Type: application/json
{
"message": "User retrieved successfully"
}
The status code immediately tells you whether the request succeeded or failed.
The Five Categories of Status Codes
HTTP status codes are grouped into five categories.
| Range | Meaning |
|---|---|
| 1xx | Informational |
| 2xx | Success |
| 3xx | Redirection |
| 4xx | Client Errors |
| 5xx | Server Errors |
Let's look at the ones you'll encounter most often.
200 OK
This is the response every developer wants to see.
It means the request was successful and the server returned the expected data.
Example:
GET /api/users/15
Response
200 OK
Response body
{
"id": 15,
"name": "John",
"email": "john@example.com"
}
Use this when:
- Fetching users
- Loading products
- Retrieving reports
- Reading configuration data
201 Created
Returned after successfully creating a new resource.
Example:
POST /api/users
Response
201 Created
{
"id": 101,
"name": "Alice"
}
Typical use cases:
- User registration
- Creating blog posts
- Adding products
- Creating orders
204 No Content
Sometimes an operation succeeds but doesn't need to return any data.
Example:
DELETE /api/users/15
Response
204 No Content
This is commonly used after successful delete operations.
400 Bad Request
The server couldn't process the request because it was invalid.
Common reasons:
- Missing required fields
- Invalid JSON
- Incorrect data types
- Validation failures
Example:
{
"email":"not-an-email"
}
Possible response
{
"error":"Invalid email address"
}
Always validate user input before sending requests.
401 Unauthorized
Authentication is required.
Typical causes:
- Missing JWT token
- Expired access token
- Invalid credentials
Example:
Authorization header missing
Response
401 Unauthorized
403 Forbidden
The user is authenticated but doesn't have permission.
Example:
A normal user tries to access an admin endpoint.
403 Forbidden
Think of it like this:
- 401 = "Who are you?"
- 403 = "I know who you are, but you're not allowed."
404 Not Found
Probably the most recognized status code.
It means the requested resource doesn't exist.
Example
GET /api/products/99999
Response
404 Not Found
Possible reasons:
- Wrong URL
- Deleted resource
- Incorrect API version
- Typo in endpoint
409 Conflict
Returned when a request conflicts with existing data.
Example:
Creating a user with an email address that's already registered.
{
"email":"john@example.com"
}
Response
409 Conflict
422 Unprocessable Entity
The request is syntactically correct, but the provided data doesn't satisfy business rules.
Example:
{
"age": -5
}
Response
{
"error":"Age must be greater than zero."
}
Many modern REST APIs use this status code for validation errors.
500 Internal Server Error
This indicates something went wrong on the server.
Examples include:
- Null reference exceptions
- Database connection failures
- Unexpected exceptions
- Configuration issues
Example response
500 Internal Server Error
If you're building APIs, avoid exposing stack traces to clients. Instead, log the error internally and return a meaningful message.
503 Service Unavailable
The server is temporarily unavailable.
Possible reasons:
- Scheduled maintenance
- High traffic
- Database outage
- Dependency failure
Unlike a 500 error, a 503 often indicates the service may recover shortly.
Quick Reference
| Status | Meaning |
|---|---|
| 200 | Success |
| 201 | Resource created |
| 204 | Success, no response body |
| 400 | Bad request |
| 401 | Authentication required |
| 403 | Permission denied |
| 404 | Resource not found |
| 409 | Conflict |
| 422 | Validation/business rule failure |
| 500 | Internal server error |
| 503 | Service temporarily unavailable |
Best Practices
- Use the correct status code instead of always returning
200. - Return clear, consistent error messages.
- Validate input before processing requests.
- Log server-side exceptions for troubleshooting.
- Avoid exposing sensitive implementation details in error responses.
- Document expected status codes in your API documentation.
Final Thoughts
Understanding HTTP status codes is one of the simplest ways to become more effective at debugging APIs and building reliable applications. Choosing the right response code also makes your APIs easier for other developers to integrate with and troubleshoot.
Which HTTP status code do you encounter most often in your day-to-day development? Share your experience in the comments—I’d love to hear your stories and debugging tips.
Explore More Developer Tools
If you regularly work with APIs, JSON, encoding, formatting, or debugging, check out ToolBenchApp: https://toolbenchapp.com/.
It's a growing collection of free browser-based developer tools designed to simplify everyday development tasks—whether you're formatting JSON, validating data, decoding JWTs, comparing text, or converting common formats. If you have ideas for a tool that would make your workflow easier, I'd love to hear your suggestions.
Top comments (1)
I found the explanation of the 401 and 403 status codes to be particularly helpful, as it can be easy to get these two mixed up. I appreciate the analogy "401 = 'Who are you?' and 403 = 'I know who you are, but you're not allowed'" - it makes the distinction very clear. One question I do have is how to handle cases where a user's access token has expired, but they are still logged in - should we return a 401 in this case, or is there a better approach?