🌐 HTTP Status Code Reference
Quick reference for all common HTTP status codes with descriptions and use cases.
The request succeeded. Standard response for successful HTTP requests.
The request succeeded and a new resource was created.
The server processed the request but returns no content.
The URL has been permanently changed. SEO juice is transferred.
Temporary redirect. Original URL will be used in the future.
The cached version is still valid. No need to resend data.
The server cannot process the request due to malformed syntax.
Authentication is required and has failed or not been provided.
The server understood the request but refuses to authorize it.
The server cannot find the requested resource.
The HTTP method used is not supported for this resource.
The request conflicts with the current state of the server.
The server understands the content but cannot process it.
The user has sent too many requests - rate limiting applied.
The server encountered an unexpected condition.
Invalid response from an upstream server.
The server is temporarily unable to handle requests.
The upstream server failed to respond in time.
📊 Key Data Points
RFC 7231
The primary HTTP semantics RFC — defines the meaning of all standard status codes
63 codes
Total IANA-registered HTTP status codes across all five classes
307 vs 302
307 preserves HTTP method on redirect; 302 historically changes POST to GET
HTTP Status Codes Reference -- Complete USA Guide 2026
HTTP status codes are the first thing you check when an API call fails — but memorizing every code in the 4xx and 5xx ranges is not practical. Is 422 Unprocessable Entity or Too Many Requests? What is the difference between 401 and 403? Does 302 preserve the HTTP method on redirect?
This reference covers all standard HTTP status codes with descriptions, common causes, and correct usage guidance. Runs in your browser with instant search.
**Long-tail searches answered here:** difference between 401 unauthorized and 403 forbidden, when to use 422 vs 400 for validation errors, does 302 redirect change POST to GET.
For debugging HTTP calls, use HTTP Headers Analyzer or build test requests with curl Builder.
🔬 How This Calculator Works
Organizes codes by class: 1xx informational, 2xx success, 3xx redirection, 4xx client errors, 5xx server errors. Each entry includes the official RFC description, practical meaning in API contexts, and common causes.
The search filters codes by number, name, or description in real time — type redirect to filter to 3xx codes, type auth to find authentication-related responses, type rate to find 429.
Codes are sourced from RFC 7231 (HTTP/1.1 semantics), RFC 6585 (additional codes), and RFC 8470 — covering all IANA-registered status codes.
✅ What You Can Calculate
Instant code lookup
Type any number or keyword and get the matching codes immediately. Faster than a web search when debugging an API response.
API design guidance
Not just what each code means but when to use it: 400 vs 422 for validation errors, 401 vs 403 for access control, 201 vs 200 for resource creation.
Redirect behavior reference
Documents whether each 3xx code preserves the HTTP method: 301 and 302 historically change POST to GET; 307 and 308 preserve the method. Critical for CORS and form submission flows.
Common error causes
Each 5xx code includes the most common server-side causes: 502 Bad Gateway usually means your upstream is down, 504 Gateway Timeout means it is responding too slowly.
🎯 Real Scenarios & Use Cases
Designing a REST API
You need to choose between returning 400 or 422 for invalid request bodies. The reference clarifies: 400 for malformed syntax, 422 for semantically invalid but parseable data.
Debugging API integrations
Your webhook is getting a 403 but you are sending the correct auth header. The reference explains: 403 means authenticated but not authorized — check the permission scope.
Configuring load balancer health checks
AWS ALB uses specific HTTP codes for health check success (200-399 by default). Verify your application health endpoint returns a code in the expected success range.
Implementing retry logic
Your API client should retry on which status codes? 429 (rate limited) and 503 (service unavailable) warrant retry with backoff. 400 and 404 should not be retried.
💡 Pro Tips for Accurate Results
401 vs 403 — the common confusion. 401 means I do not know who you are — send credentials. 403 means I know who you are but you are not allowed. If a user is logged in and gets rejected, it should be 403, not 401.
Use 422 for validation errors in REST APIs. 422 Unprocessable Entity is more semantically accurate for the JSON is valid but the data fails business validation.
308 for permanent redirects with method preservation. If you are doing a permanent redirect and your endpoint accepts POST, use 308 instead of 301 to guarantee the method is preserved.
Implement 429 with Retry-After. Return 429 with a Retry-After: 60 header. Clients that respect this header will automatically back off instead of hammering your endpoint.
🔗 Use These Together
🏁 Bottom Line
HTTP status codes are a shared vocabulary between clients and servers. Using the wrong code sends misleading signals — returning 200 for an error means clients never retry; returning 500 for a client error means ops teams get paged.
For HTTP debugging: look up status codes here, analyze response headers with HTTP Headers Analyzer, and build test requests with curl Builder.
What is the difference between 401 Unauthorized and 403 Forbidden?
Despite the name, 401 Unauthorized actually means 'unauthenticated' — the request lacks valid credentials. The server is saying 'tell me who you are.' The response should include a WWW-Authenticate header indicating how to authenticate. 403 Forbidden means 'I know who you are, but you do not have permission to access this.' Authentication would not help — the resource is forbidden for this user. Common mistake: using 403 when you should use 401. If the user is not logged in, return 401. If they are logged in but lack the required role or permissions, return 403. Returning 404 instead of 403 for private resources is also common — hiding existence is a security choice, not an error classification.
When should I use 200 vs 201 vs 204 for API responses?
200 OK: the request succeeded and the response body contains the result. Use for GET, PUT, PATCH responses that return the updated resource. 201 Created: a new resource was successfully created. Use for successful POST requests that create new records. The response should include a Location header pointing to the new resource URL. 204 No Content: the request succeeded but there is nothing to return. Use for DELETE requests (resource deleted, nothing to return) and some PUT/PATCH operations where the client does not need the updated resource back. Returning 200 with an empty body is functionally equivalent to 204 but semantically less precise.
What is the difference between 301 and 302 redirects?
301 Moved Permanently: the resource has permanently moved. Browsers cache this — after the first visit, the browser goes directly to the new URL. Search engines transfer link equity and update their index. 302 Found: temporary redirect. Browsers do not cache it — every request hits the original URL first. Search engines keep the original URL indexed. 307 Temporary Redirect: like 302, but explicitly preserves the HTTP method (a POST to a 307-redirected URL is re-POSTed, not converted to GET). 308 Permanent Redirect: like 301, but preserves the method. Use 301 for permanent URL changes and HTTPS upgrades. Use 302 for temporary maintenance pages.
What does a 429 Too Many Requests response mean and how should I handle it?
429 means you have exceeded the API's rate limit. The response should include a Retry-After header indicating when you can try again (either a seconds delay or a specific timestamp). Proper handling: implement exponential backoff — wait for Retry-After seconds if provided, or double your wait time on each consecutive 429 (start at 1s, then 2s, 4s, 8s, up to a maximum). Add jitter (random delay) to prevent synchronized retries from multiple clients all hitting the API at the same moment (thundering herd). Track your request rate and stay under the documented limit rather than reacting to 429s.
What is the difference between 500, 502, 503, and 504?
500 Internal Server Error: the server encountered an unexpected error — a bug, unhandled exception, or misconfiguration in the application code. 502 Bad Gateway: the gateway/proxy received an invalid response from the upstream server — typically means the upstream server is down or returning garbage. 503 Service Unavailable: the server is temporarily unable to handle the request — usually during maintenance, overload, or startup. Should include Retry-After. 504 Gateway Timeout: the gateway/proxy did not receive a timely response from upstream — the upstream server is too slow or unresponsive. 502 and 504 appear at the load balancer/CDN level when backend services fail.
What does 418 I'm a Teapot mean?
418 is an April Fools' joke from RFC 2324 (1998) — the Hyper Text Coffee Pot Control Protocol. The spec defines 418 as the response when a teapot is asked to brew coffee. It was never a serious HTTP status code and was not supposed to be implemented. It survived as an Easter egg and is used by some APIs for humorous responses. Despite being a joke, 418 is listed in the IANA HTTP Status Code Registry (marked as unused) and Node.js, Go, and Python all include it in their HTTP status code constants. It occasionally appears in API error responses for 'this request makes no sense' situations, where the developer wanted to signal an absurd request without implying a real error.
What other HTTP and API tools are on this site?
The HTTP Headers Analyzer decodes response headers including the status code context. The curl Builder generates commands that reveal status codes when testing endpoints. The API Response Time Calculator models timeout values relative to expected response times. The JWT Decoder inspects auth tokens that affect which status code an API returns (valid token vs expired = 200 vs 401). The Meta Tag Generator includes HTTP-equiv tags that can influence browser behavior for certain status codes. All are in the Dev Tools section.