HTTP Status Codes Reference

Searchable reference of all HTTP status codes with descriptions. Filter by category - 1xx, 2xx, 3xx, 4xx, and 5xx responses.

A searchable reference of every standard HTTP status code registered with IANA, grouped into five categories: 1xx Informational, 2xx Success, 3xx Redirection, 4xx Client Error, and 5xx Server Error. Search by code number or keyword, filter by category, and copy any code with one click. All codes follow the current HTTP semantics specification, RFC 9110, published by the IETF in June 2022.

Ad
Ad

About HTTP Status Codes Reference

How HTTP Status Codes Work

Every HTTP response begins with a three-digit status code. The first digit defines which of the five categories the response belongs to, while the remaining two digits identify the specific condition. When a browser or API client makes a request, the server returns one of these codes along with optional headers and a body. The client then decides what to do based on the code - display content, follow a redirect, show an error, or retry the request.

RFC 9110 consolidates the previous RFC 7230-7235 series into a single specification for HTTP semantics. It defines the meaning of each status code regardless of whether HTTP/1.1, HTTP/2, or HTTP/3 is used as the transport. The IANA Hypertext Transfer Protocol Status Code Registry at iana.org/assignments/http-status-codes is the authoritative list, and any new codes require IETF Review before registration.

Status Code Categories

RangeCategoryMeaningExamples
1xxInformationalRequest received, processing continues100 Continue, 101 Switching Protocols, 103 Early Hints
2xxSuccessRequest received, understood, and accepted200 OK, 201 Created, 204 No Content, 206 Partial Content
3xxRedirectionFurther action needed to complete request301 Moved Permanently, 304 Not Modified, 307 Temporary Redirect
4xxClient ErrorThe request contains an error400 Bad Request, 404 Not Found, 429 Too Many Requests
5xxServer ErrorThe server failed to fulfil a valid request500 Internal Server Error, 503 Service Unavailable

Most Used Status Codes for REST APIs

Building a REST API means picking the right status code for every endpoint. Using generic 200 for everything technically works, but it makes debugging harder and violates HTTP semantics. Here are the codes that cover the vast majority of API interactions.

CodeNameWhen to UseTypical HTTP Method
200OKGeneral success responseGET, PUT, PATCH
201CreatedNew resource successfully createdPOST
204No ContentSuccess with no response bodyDELETE, PUT
400Bad RequestInvalid request body, missing parametersAny
401UnauthorizedMissing or invalid authenticationAny
403ForbiddenAuthenticated but not authorised for this resourceAny
404Not FoundResource does not existAny
409ConflictRequest conflicts with current state (duplicate, version mismatch)POST, PUT
422Unprocessable ContentRequest is well-formed but semantically invalidPOST, PUT
429Too Many RequestsRate limit exceededAny
500Internal Server ErrorUnexpected server failureAny
503Service UnavailableServer temporarily down (maintenance, overload)Any

Worked example: A POST to /api/users with a valid body creates a new user. The server returns 201 Created with a Location: /api/users/42 header pointing to the new resource. If the email already exists, the server returns 409 Conflict. If the request body is missing required fields, it returns 400 Bad Request. If the auth token is expired, it returns 401 Unauthorized with a WWW-Authenticate header.

Common Confusion: 401 vs 403

This is one of the most frequently misused pairs of status codes. The names are misleading - 401 is called "Unauthorized" but actually means "unauthenticated", while 403 "Forbidden" means "unauthorised". Here is the practical difference.

Aspect401 Unauthorized403 Forbidden
AuthenticationNot provided or invalidValid (user is known)
Problem"Who are you?""I know who you are, but you can't do this"
FixProvide valid credentialsRequest access from admin
Should includeWWW-Authenticate headerOptionally an error message
Retry with auth?Yes - might fix itNo - re-authenticating won't help

RFC 9110 Section 15.5.2 specifies that a 401 response must include a WWW-Authenticate header indicating which authentication scheme the server expects (e.g. Bearer, Basic). Omitting this header is technically a spec violation, though many APIs skip it in practice.

Redirect Codes Explained

Redirect codes tell the client that the resource has moved. The differences between them matter for SEO and for preserving the original HTTP method (GET, POST, etc.) during the redirect.

CodeNamePermanent?Method Preserved?Use Case
301Moved PermanentlyYes (cached)May change to GETDomain change, URL restructure (SEO-friendly)
302FoundNoMay change to GETTemporary redirect (legacy, ambiguous)
303See OtherNoAlways changes to GETRedirect after POST (form submission)
307Temporary RedirectNoYes (preserved)Temporary redirect that must keep the HTTP method
308Permanent RedirectYes (cached)Yes (preserved)Permanent redirect that must keep the HTTP method
304Not ModifiedN/AN/ACached version is still valid (conditional request)

For SEO, use 301 for permanent URL changes. Google transfers ranking signals from the old URL to the new one. Use 302 or 307 for temporary situations where the old URL should keep its ranking. The key distinction between 301/302 and 307/308 is method preservation - 301 and 302 allow the browser to change a POST into a GET during the redirect, while 307 and 308 require the original method to be used. This matters for API endpoints that accept POST data.

How Status Codes Affect SEO and Crawl Budget

Search engine crawlers treat status codes differently. Google allocates a crawl budget to each site - the number of pages Googlebot will fetch within a given period. Returning the wrong status code can waste that budget or cause pages to fall out of the index.

According to Google's developer documentation, when Googlebot encounters a 404 it eventually removes that URL from the index, though this can take months. A 410 Gone signals permanent removal and is processed faster. Soft 404s - pages that return 200 OK but display "page not found" content - are particularly harmful. In 2025, Google's Gary Illyes confirmed that soft 404s consume crawl budget just like real pages, even though they return a success code. If 10% of crawled URLs are soft 404s, that is 10% of the crawl budget wasted on non-existent content.

A chain of 301 redirects (A redirects to B, B redirects to C) dilutes link equity and slows down crawling. Keep redirect chains to a single hop where possible. For decoding and debugging URL-encoded query strings during redirect troubleshooting, a URL decoder helps isolate where things break.

Status Codes and Caching

Not every response can be cached. The HTTP spec defines which status codes are cacheable by default, meaning a cache can store the response without explicit Cache-Control headers. Understanding this prevents stale data bugs and unnecessary server load.

CodeCacheable by Default?Notes
200YesCan be cached unless Cache-Control says otherwise
301YesBrowsers cache permanently - be careful with these
302No (usually)Not cached unless Cache-Control explicitly allows it
304N/AConfirms cached version is current
404Technically yesCan be cached, but usually not desired
500NoErrors should not be cached

The 304 Not Modified code is central to conditional caching. The client sends an If-None-Match (ETag) or If-Modified-Since header, and if the resource has not changed, the server returns 304 with no body, saving bandwidth. This is how CDNs avoid re-transferring unchanged assets on every request.

What Is 103 Early Hints?

103 Early Hints (RFC 8297) lets the server send a preliminary response before the final 200 OK. This is useful when the server needs time to generate the full response - it can tell the browser to start preloading CSS, fonts, or JavaScript in the meantime. Chrome has supported Early Hints since version 103, and Firefox and Edge also support it. According to Cloudflare, Early Hints can shave nearly a full second off Largest Contentful Paint (LCP) scores by letting the browser fetch critical resources during server think time rather than waiting idle. Support is limited to HTTP/2 and HTTP/3 connections.

206 Partial Content and Range Requests

The 206 Partial Content code means the server is delivering only part of a resource, in response to a Range header from the client. This powers resumable downloads and video streaming - a browser can request bytes 1000-2000 of a video file, and the server returns just that chunk with a Content-Range header. If a download is interrupted, the client can resume from where it left off instead of starting over. Media players rely on this for seeking to arbitrary positions in audio and video files.

Fun and Notable Codes

CodeNameOrigin
418I'm a TeapotRFC 2324 (1998 April Fools joke - Hyper Text Coffee Pot Control Protocol)
451Unavailable For Legal ReasonsNamed after Ray Bradbury's Fahrenheit 451 - used when content is censored or blocked by legal demand
420Enhance Your CalmUsed by Twitter's old API for rate limiting (unofficial, never registered with IANA)
103Early HintsRFC 8297 - allows preloading resources before the final response arrives
402Payment RequiredReserved for future use since HTTP/1.1 in 1997 - still has no official definition, though some APIs use it for payment or quota limits

418 was never intended for production use, but it has taken on a life of its own. Google once returned 418 on google.com/teapot as an Easter egg. The code is specifically excluded from the IANA registry as a permanent joke, but developers still reference it in documentation and error-handling tutorials.

Quick Debugging Checklist

When an API call fails, checking the status code narrows down the problem fast:

Getting 4xx errors? The problem is on the client side. Check the request URL, headers, authentication token, and request body. A JSON Formatter helps validate that the request payload is well-formed JSON. For JWT tokens, decode them to check expiry and claims.

Getting 5xx errors? The problem is on the server side. Check server logs, database connections, and resource limits. A 502 or 504 often points to a reverse proxy or load balancer that cannot reach the upstream application. A 503 usually means the server is overloaded or in maintenance mode - check the Retry-After header for when to try again.

Getting unexpected redirects? Trace the redirect chain with curl -vL to see each hop. Check whether 301 or 302 is used - a 302 where a 301 is intended wastes crawl budget and does not transfer link equity. For looking up Content-Type values returned in response headers, the MIME Types Reference has a searchable list.

Sources

Frequently Asked Questions

What are HTTP status codes?

HTTP status codes are three-digit numbers returned by a web server in response to a request. They indicate whether the request was successful, redirected, or resulted in an error. The first digit defines the category: 1xx informational, 2xx success, 3xx redirection, 4xx client error, and 5xx server error.

What is the difference between 401 and 403?

A 401 Unauthorized means the client has not provided valid authentication credentials. A 403 Forbidden means the server understood the request but refuses to authorise it, even with valid credentials. Re-authenticating will help with 401 but not 403.

When should I use 200 vs 201 vs 204?

Use 200 OK for general successful requests. Use 201 Created when a new resource has been created, typically after a POST. Use 204 No Content when the request succeeds but there is no body to return, common for DELETE operations.

What does 418 I'm a Teapot mean?

Status code 418 is a playful Easter egg defined in RFC 2324 (Hyper Text Coffee Pot Control Protocol). It was written as an April Fools joke but has become a well-known part of HTTP lore. Some servers return it as a fun response.

Is this reference complete?

Yes, it covers all standard HTTP status codes defined by IANA, including common extensions like 418 and 451. Each code includes its official name and a plain-English description of when it is used.

Link to this tool

Copy this HTML to link to this tool from your website or blog.

<a href="https://toolboxkit.io/tools/http-status-codes/" title="HTTP Status Codes Reference - Free Online Tool">Try HTTP Status Codes Reference on ToolboxKit.io</a>