HTTP Status Codes
Searchable reference of every HTTP status code with what it means and when to use it.
| 100 | Continue | The server got the request headers and the client should send the body. |
| 101 | Switching Protocols | The server agrees to switch protocols, e.g. to WebSocket. |
| 200 | OK | The request succeeded. The standard success response. |
| 201 | Created | A new resource was created. The response usually includes its location. |
| 202 | Accepted | The request was accepted for processing but is not done yet. |
| 204 | No Content | Success, with nothing to return. Common for DELETE and PUT. |
| 206 | Partial Content | A range request succeeded; this is part of the resource. Used for video streaming and resumable downloads. |
| 301 | Moved Permanently | The resource lives at a new URL forever. Browsers and search engines update their records. |
| 302 | Found | Temporary redirect. The original URL is still canonical. |
| 304 | Not Modified | The cached version is still valid; no body is sent. The backbone of HTTP caching. |
| 307 | Temporary Redirect | Like 302, but the request method must not change when following it. |
| 308 | Permanent Redirect | Like 301, but the request method must not change. Used for redirecting POST endpoints. |
| 400 | Bad Request | The request is malformed: invalid JSON, missing fields, bad syntax. |
| 401 | Unauthorized | Authentication is missing or wrong. Misnamed: it means unauthenticated. |
| 403 | Forbidden | Authenticated, but not allowed to do this. This one means unauthorized. |
| 404 | Not Found | The resource does not exist, or the server does not want to admit it exists. |
| 405 | Method Not Allowed | The resource exists but not for this HTTP method, e.g. POST to a read only endpoint. |
| 409 | Conflict | The request conflicts with current state: duplicate entry, edit collision, version mismatch. |
| 410 | Gone | The resource existed and was deliberately removed. Stronger than 404. |
| 413 | Payload Too Large | The request body exceeds what the server accepts. Common with file uploads. |
| 415 | Unsupported Media Type | The Content-Type of the request is not supported, e.g. XML sent to a JSON API. |
| 418 | I'm a teapot | An April Fools joke from 1998 that servers still implement for fun. |
| 422 | Unprocessable Entity | The syntax is valid but the content fails validation rules. The standard validation error code. |
| 429 | Too Many Requests | Rate limited. The Retry-After header says when to try again. |
| 500 | Internal Server Error | Something broke on the server. The catch-all for unhandled exceptions. |
| 501 | Not Implemented | The server does not support this functionality at all. |
| 502 | Bad Gateway | A proxy or load balancer got an invalid response from the server behind it. |
| 503 | Service Unavailable | The server is overloaded or down for maintenance. Temporary by definition. |
| 504 | Gateway Timeout | A proxy gave up waiting for the server behind it to respond. |
About the HTTP Status Codes
Every HTTP response starts with a three digit status code, and choosing or interpreting the right one is a daily task for anyone building or consuming APIs. This is a searchable reference of the codes that matter, grouped by class, with descriptions written for practical use rather than copied from the RFC.
The classes: 1xx informational (rare), 2xx success, 3xx redirection, 4xx the client did something wrong, 5xx the server did something wrong. That last distinction is the one worth internalizing, because it determines who needs to fix the problem and whether retrying can help.
The pairs that cause the most confusion: 401 vs 403 (not logged in vs logged in but not allowed), 301 vs 302 (permanent vs temporary redirect, which matters enormously for SEO), and 400 vs 422 (malformed request vs well formed request that fails validation).
Reach developers and designers who use these tools every day. Privacy-first, no trackers.
Frequently asked questions
What is the difference between 401 and 403?
401 means the request lacks valid authentication: not logged in, expired token, wrong API key. 403 means authentication succeeded but this identity is not allowed to do this. The names are misleading; the behaviors are exactly opposite to what they sound like.
When should I use 301 vs 302?
301 when the move is permanent: search engines transfer ranking to the new URL and browsers cache the redirect aggressively. 302 when temporary. Using 301 for something that later moves back is painful because the redirect is cached.
Which code for validation errors?
422 Unprocessable Entity is the conventional choice for syntactically valid requests that fail business validation, with 400 reserved for requests that cannot be parsed at all. Plenty of APIs use 400 for both, which is acceptable; just be consistent.