1xx API status code
100 Continue The server received the request headers and is ready for the body.
This informational response usually appears when a client sends an `Expect: 100-continue` header before uploading a large payload.
Common causes Large file uploads where the client waits for approval before streaming the request body. HTTP clients or proxies that automatically send `Expect: 100-continue` for large requests. Fix suggestions Treat it as an interim response and continue sending the request body if the server allows it. Disable `Expect: 100-continue` in the client if the extra round trip is causing issues. 1xx API status code
101 Switching Protocols The server accepted a request to change protocols.
A 101 response confirms the connection is moving from HTTP to another protocol such as WebSocket.
Common causes A successful WebSocket upgrade handshake. Clients requesting a protocol upgrade that the server supports. Fix suggestions Verify the `Upgrade` and `Connection` headers are set correctly in the request. Check that any proxy or load balancer allows protocol upgrades end to end. 1xx API status code
102 Processing The server accepted the request and is still working on it.
This WebDAV status tells the client the request is valid but the final response is not ready yet.
Common causes Long-running write operations on WebDAV or document management endpoints. APIs that need to signal progress while avoiding client timeouts. Fix suggestions Wait for the final response instead of treating 102 as a failure. For custom APIs, prefer 202 with a polling resource if background work is involved. 1xx API status code
103 Early Hints The server is sending preload hints before the final response.
A 103 response can expose headers like `Link: rel=preload` so the client starts fetching critical assets earlier.
Common causes Servers optimizing page or asset loading before the main response is complete. CDNs or frameworks emitting preload hints for CSS, fonts, or scripts. Fix suggestions Treat it as a performance hint, not a terminal response. Validate that hinted assets are actually critical and cacheable. 2xx API status code
200 OK The request succeeded and the server returned the expected result.
This is the standard success response for most REST API reads, updates, and actions that return content.
Common causes Successful GET requests that return JSON or HTML. Successful POST, PUT, or PATCH operations that also return a resource payload. Fix suggestions Use 200 when the action succeeded and the response body adds value. Avoid using 200 for application-level failures hidden inside the payload. 2xx API status code
201 Created The request created a new resource successfully.
A 201 response is the clearest success code for resource creation and often includes the new resource or a `Location` header.
Common causes Successful POST requests that create a record, job, or document. Provisioning APIs that return the newly created resource identifier. Fix suggestions Return 201 instead of 200 when a new resource is created. Include the resource representation or `Location` header so the client can follow up cleanly. 2xx API status code
202 Accepted The request was accepted, but the work is still pending.
This is useful for async APIs where the server queues work and finishes it later.
Common causes Background jobs for imports, report generation, or video processing. Webhook or task queue systems that acknowledge receipt before completion. Fix suggestions Return a job ID or status URL so clients can poll or subscribe for completion. Do not use 202 if the work already finished synchronously during the request. 2xx API status code
204 No Content The request succeeded and there is no body to return.
A 204 response is common for deletes, toggles, and idempotent updates where an empty body is intentional.
Common causes DELETE requests that remove a resource cleanly. PUT or PATCH requests where the server has nothing useful to send back. Fix suggestions Return 204 only when the client does not need a response body. Make sure the response body is actually empty to avoid client parsing issues. 2xx API status code
206 Partial Content The server returned part of the resource because the client requested a range.
This status supports resumable downloads and streaming by returning the requested byte range instead of the full payload.
Common causes Range requests for media files or large downloads. Clients resuming interrupted downloads. Fix suggestions Ensure `Content-Range` and `Accept-Ranges` headers are correct. Fall back to 200 if the endpoint does not support range requests. 3xx API status code
301 Moved Permanently The resource has a new permanent URL.
A 301 redirect tells clients and search engines to update bookmarks, caches, and links to the new location.
Common causes Permanent route migrations after an API version or path change. Domain or host canonicalization rules. Fix suggestions Use 301 only when the move is permanent and the new URL is stable. Make sure the `Location` header points to the correct canonical endpoint. 3xx API status code
302 Found The resource is temporarily available at a different URL.
Many legacy systems use 302 for temporary redirects, although 307 is safer when the HTTP method must be preserved.
Common causes Temporary maintenance routing or login redirects. Server-side flows that move the client to a different endpoint for a short period. Fix suggestions Prefer 307 when you need to preserve the original request method and body. Use 302 only when a temporary redirect is intended and client behavior is acceptable. 3xx API status code
304 Not Modified The cached representation is still valid, so the server sends no new body.
A 304 response appears when conditional request headers such as `If-None-Match` or `If-Modified-Since` match the current resource state.
Common causes ETag-based or last-modified caching in browsers, CDNs, and API clients. Revalidation requests where the resource has not changed. Fix suggestions Set ETags or last-modified headers consistently so caches behave predictably. Do not send a response body with 304. 3xx API status code
307 Temporary Redirect The resource temporarily moved and the client should keep the same method.
A 307 redirect is the safer modern choice for temporary API redirects because it preserves the original HTTP verb and body.
Common causes Traffic shifting between temporary endpoints during maintenance or migration. Short-lived regional or canary routing changes. Fix suggestions Use 307 instead of 302 for POST, PUT, PATCH, and DELETE redirects. Verify the client or proxy follows method-preserving redirects correctly. 3xx API status code
308 Permanent Redirect The resource permanently moved and the original method should be preserved.
A 308 combines the permanence of 301 with method preservation, which makes it useful for API route migrations.
Common causes Permanent versioned API path changes where POST or PUT requests must still work. Long-term canonical URL migrations. Fix suggestions Use 308 when the move is permanent and non-GET methods must be preserved. Confirm clients, SDKs, and proxies support 308 before rolling it out broadly. 4xx API status code
400 Bad Request The server could not process the request because it was malformed.
A 400 response means the client sent invalid syntax, missing required fields, or an otherwise unusable request.
Common causes Malformed JSON, missing query parameters, or invalid path values. Schema validation failures before business logic runs. Incorrect headers such as a bad `Content-Type`. Fix suggestions Return field-level validation messages so the client can correct the payload quickly. Validate input consistently at the API boundary before deeper processing. 4xx API status code
401 Unauthorized The request is missing valid authentication credentials.
Despite the name, 401 is about authentication failure, not permission failure.
Common causes Missing bearer token, expired session, or invalid API key. Signed requests with bad timestamps or signatures. Fix suggestions Return a `WWW-Authenticate` header or a clear auth error body when appropriate. Use 403 instead when the user is authenticated but lacks permission. 4xx API status code
403 Forbidden The client is authenticated, but access is not allowed.
A 403 response means the server understood the request and credentials, but policy or permissions block the action.
Common causes Role-based access checks failing. Blocked IPs, disabled accounts, or tenant boundary violations. Fix suggestions Review authorization rules and confirm the caller really has the required scope or role. Avoid returning 403 for missing auth when 401 is more accurate. 4xx API status code
404 Not Found The requested route or resource does not exist.
A 404 is the standard response when the client asks for an unknown endpoint or a missing record.
Common causes Misspelled routes, wrong environment base URL, or deleted resources. Resource IDs that do not exist in the current tenant or database. Fix suggestions Verify the route, version prefix, and resource identifier are correct. Use 410 instead of 404 if the resource was intentionally removed and that distinction matters. 4xx API status code
405 Method Not Allowed The route exists, but it does not support that HTTP method.
A 405 response commonly appears when a client sends POST to a GET-only endpoint or DELETE to a read-only route.
Common causes Frontend or SDK code calling the right path with the wrong verb. Routing layers exposing a resource but not the requested method. Fix suggestions Return an `Allow` header listing supported methods. Check the client integration and route handler mapping for verb mismatches. 4xx API status code
408 Request Timeout The server timed out waiting for the client to finish the request.
A 408 response usually means the client was too slow sending headers or the request body.
Common causes Slow uploads, broken mobile networks, or abandoned connections. Reverse proxies with aggressive request-read timeouts. Fix suggestions Review client upload behavior and any proxy timeout configuration. Use resumable uploads or smaller payloads for large request bodies. 4xx API status code
409 Conflict The request conflicts with the current state of the resource.
A 409 response fits concurrency and uniqueness problems where the request is valid but cannot be applied as-is.
Common causes Duplicate unique keys such as email addresses or slugs. Optimistic locking failures or stale client updates. Fix suggestions Return details about the conflicting field or resource version. Use ETags, version fields, or idempotency keys to reduce duplicate submissions. 4xx API status code
410 Gone The resource used to exist but is intentionally unavailable now.
A 410 response is more explicit than 404 when a resource or endpoint has been permanently removed.
Common causes Deprecated endpoints that were intentionally retired. Resources deleted as part of a retention or compliance policy. Fix suggestions Use 410 when clients should stop retrying or expecting the resource to return. Include migration guidance if a replacement endpoint exists. 4xx API status code
412 Precondition Failed A conditional request check did not pass.
This response appears when headers like `If-Match` or `If-Unmodified-Since` do not match the server state.
Common causes Concurrent updates where the resource changed since the client last fetched it. Conditional writes or deletes guarded by ETag checks. Fix suggestions Fetch the latest resource state and retry with the current ETag or version. Use 412 for stale updates instead of silently overwriting newer data. 4xx API status code
415 Unsupported Media Type The server does not support the request payload format.
A 415 response means the `Content-Type` is wrong or the server cannot parse that media type for the endpoint.
Common causes Sending form data to a JSON-only endpoint. Missing or incorrect `Content-Type` headers. Fix suggestions Set `Content-Type: application/json` when sending JSON payloads. Document accepted request formats clearly in the API reference. 4xx API status code
422 Unprocessable Content The request shape is valid, but the submitted values fail validation rules.
A 422 response is useful when the payload is syntactically correct JSON but business validation still fails.
Common causes Invalid email formats, date ranges, enum values, or domain-specific constraints. Requests that pass schema parsing but violate application rules. Fix suggestions Return precise, field-level validation messages for the client. Use 400 for malformed input and 422 for semantically invalid input to keep errors consistent. 4xx API status code
429 Too Many Requests The client hit a rate limit.
A 429 response protects an API when a caller exceeds request, token, or concurrency quotas.
Common causes Burst traffic from a single client or integration. Shared API keys exceeding tenant-level or user-level quotas. Fix suggestions Return `Retry-After` or rate-limit headers so callers know when to back off. Add exponential backoff and request batching on the client side. 4xx API status code
431 Request Header Fields Too Large The request headers are too large for the server or proxy to accept.
This often happens when cookies, custom headers, or auth metadata grow beyond configured size limits.
Common causes Oversized cookies attached to every request. Long JWTs, tracing headers, or duplicated custom headers. Fix suggestions Trim header size, reduce cookie bloat, and avoid repeating large values. Check any proxy or CDN header-size limits if the issue only appears in production. 4xx API status code
451 Unavailable For Legal Reasons The resource is blocked due to a legal or policy requirement.
A 451 response indicates the server is intentionally withholding the resource because of legal demands or jurisdiction-based restrictions.
Common causes Court orders, takedown requests, or geo-restriction rules. Content or feature availability limited by region-specific regulation. Fix suggestions Return a short explanation when policy allows it so the restriction is explicit. Use 403 for general permission denials and 451 only for legal restrictions. 5xx API status code
500 Internal Server Error The server hit an unexpected failure while handling the request.
A 500 response is the general fallback for unhandled exceptions, broken assumptions, and unexpected runtime failures.
Common causes Unhandled application exceptions or null reference errors. Database, dependency, or configuration problems bubbling up unexpectedly. Fix suggestions Inspect server logs, traces, and recent deploys to find the failing code path. Replace catch-all 500s with more specific error handling where the failure mode is known. 5xx API status code
501 Not Implemented The server does not support the requested functionality.
A 501 response means the server does not recognize or cannot fulfill the method or capability the client requested.
Common causes Methods or features declared in the API contract but not actually implemented. Gateways forwarding verbs or capabilities the upstream service does not support. Fix suggestions Use 405 for unsupported methods on a known route and 501 when the capability itself is not implemented. Align the API documentation and SDK behavior with what the service actually supports. 5xx API status code
502 Bad Gateway A gateway or proxy received an invalid response from the upstream server.
This usually points to issues between services rather than a direct client mistake.
Common causes Reverse proxies receiving malformed or incomplete upstream responses. Upstream crashes, TLS mismatches, or connection resets between services. Fix suggestions Check the upstream service health and the gateway logs together. Verify protocol, timeout, and TLS settings between the proxy and origin service. 5xx API status code
503 Service Unavailable The server is temporarily unable to handle the request.
A 503 response is appropriate for planned maintenance, overload protection, or short-lived dependency outages.
Common causes Servers in maintenance mode or during rolling deploys. Autoscaling lag, dependency outages, or load shedding under traffic spikes. Fix suggestions Return `Retry-After` when clients should retry later. Use 503 instead of 500 when the outage is temporary and operational rather than a code bug. 5xx API status code
504 Gateway Timeout A gateway or proxy timed out waiting for the upstream server.
A 504 response signals that an intermediary waited too long for a backend dependency or origin service.
Common causes Slow database queries or downstream APIs exceeding upstream timeout limits. Load balancers or API gateways with tighter timeout settings than the application expects. Fix suggestions Profile the slow upstream call and reduce latency or move the work async. Align timeout settings across proxies, app servers, and downstream services. 5xx API status code
507 Insufficient Storage The server cannot store the representation needed to complete the request.
This WebDAV-origin status can also surface in storage-heavy APIs when disk or object storage limits are exhausted.
Common causes Disk exhaustion, quota limits, or full object storage targets. Upload services trying to persist files without enough available capacity. Fix suggestions Check storage capacity, quotas, and cleanup jobs on the affected service. Expose clearer quota messages to clients if the failure is tenant-specific. 5xx API status code
508 Loop Detected The server detected an infinite loop while processing the request.
This status is rare in general REST APIs but can appear in recursive graph, sync, or WebDAV operations.
Common causes Recursive dependency traversal with circular references. Misconfigured routing or sync logic that repeatedly invokes itself. Fix suggestions Inspect recursion guards, graph traversal logic, and cycle detection. Add request correlation and loop protection when services can call each other recursively. 5xx API status code
511 Network Authentication Required The client must authenticate to gain network access before the request can proceed.
This status is typically generated by a proxy or captive portal rather than the API application itself.
Common causes Corporate guest Wi-Fi or captive portal networks intercepting requests. Proxy infrastructure requiring an extra network login step. Fix suggestions Verify whether the request is passing through a captive portal or filtering proxy. Do not use 511 for normal API auth failures; use 401 or 403 instead.