What does that status code actually mean?
Your API returns a 502 and you vaguely remember it’s some kind of gateway problem. Or you’re designing a REST API and can’t remember whether a failed login should be 401 or 403. Or you’re debugging why your redirect gives you a 302 instead of a 301.
This is a searchable reference for every standard HTTP status code, organized by class. Search by number, name, or keyword. Filter by category. Read the description to understand when and why each code is used.
The five classes
1xx, Informational. The server got your request and is still processing. You’ll rarely encounter these unless you’re working with WebSockets (101 Switching Protocols) or chunked uploads (100 Continue).
2xx, Success. The good ones. 200 OK is the most common response on the internet. 201 Created is what your POST endpoint should return when it makes a new record. 204 No Content is for DELETEs, “yes, I deleted it, there’s nothing to send back.”
3xx, Redirection. 301 Moved Permanently, the URL changed, update your bookmarks (and SEO juice transfers). 302 Found, temporary redirect. 304 Not Modified, your cached version is still good, no need to download again.
4xx, Client errors. The client did something wrong. 400 for malformed requests, 401 for “you’re not logged in,” 403 for “you’re logged in but don’t have access,” 404 for “that doesn’t exist,” and 429 for “slow down, you’re hitting the rate limit.”
5xx, Server errors. The server broke. 500 is the catch-all “something went wrong.” 502 Bad Gateway usually means your reverse proxy can’t reach the backend. 503 Service Unavailable means the server is overloaded or down for maintenance.
The ones you’ll use every day
200: request worked, here’s the data. 201: resource created, here’s the new thing. 204: done, nothing to return. 301: permanently moved, update your references. 400: your request body is invalid. 401: you need to authenticate first. 403: you’re authenticated but not authorized. 404: doesn’t exist. 429: rate limited, try again later. 500: server error, probably check the logs.
FAQ
401 vs 403, what’s the actual difference?
401 means “I don’t know who you are, send credentials.” 403 means “I know who you are, and you’re not allowed.” A missing auth token is 401. A valid token without admin privileges trying to hit an admin endpoint is 403.
What about 418?
It’s a teapot. RFC 2324, April Fools’ 1998, Hyper Text Coffee Pot Control Protocol. Not used in production, universally beloved by developers, occasionally returned as an easter egg.
404 vs 410?
404: the resource doesn’t exist right now. Might come back. 410: it’s gone permanently and won’t return. Use 410 when you want search engines to drop the URL from their index.
How do I pick the right code for my REST API?
GET/PUT success → 200. POST that creates → 201. DELETE → 204. Validation error → 400. Missing auth → 401. Forbidden → 403. Not found → 404. That covers 90% of cases.