HTTP Status Codes Reference

Searchable reference of every HTTP status code — names, descriptions, and the RFCs that define them.

Last updated: April 13, 2026

Code	Category	Name & description
100	1xx	Continue The client should continue with its request. This interim response informs the client that the initial part of the request has been received and the server has not yet rejected it. RFC 9110
101	1xx	Switching Protocols The server is switching protocols as requested by the client via the Upgrade header field. RFC 9110
102	1xx	Processing The server has received and is processing the request, but no response is available yet. Used for WebDAV. RFC 2518
103	1xx	Early Hints Used to return some response headers before final HTTP message, allowing the user agent to start preloading resources. RFC 8297
200	2xx	OK The request has succeeded. The meaning depends on the HTTP method used. RFC 9110
201	2xx	Created The request has been fulfilled and has resulted in one or more new resources being created. RFC 9110
202	2xx	Accepted The request has been accepted for processing, but the processing has not been completed. RFC 9110
203	2xx	Non-Authoritative Information The returned metadata is not exactly the same as available from the origin server, but has been collected from a local or third-party copy. RFC 9110
204	2xx	No Content The server successfully processed the request and is not returning any content. RFC 9110
205	2xx	Reset Content The server successfully processed the request and asks the requester to reset its document view. RFC 9110
206	2xx	Partial Content The server is delivering only part of the resource due to a range header sent by the client. RFC 9110
207	2xx	Multi-Status A WebDAV response that can contain multiple separate response codes depending on the sub-requests. RFC 4918
208	2xx	Already Reported Used inside a DAV: propstat response element to avoid enumerating the internal members of multiple bindings to the same collection repeatedly. RFC 5842
226	2xx	IM Used The server has fulfilled a GET request for the resource, and the response is a representation of the result of instance manipulations applied to the current instance. RFC 3229
300	3xx	Multiple Choices Indicates multiple options for the resource from which the client may choose. RFC 9110
301	3xx	Moved Permanently This and all future requests should be directed to the given URI. RFC 9110
302	3xx	Found The resource was found but at a different URI. The client should follow the redirect using the same method. RFC 9110
303	3xx	See Other The response to the request can be found under another URI using the GET method. RFC 9110
304	3xx	Not Modified Indicates that the resource has not been modified since the version specified by the request headers. RFC 9110
307	3xx	Temporary Redirect The request should be repeated with another URI but future requests should still use the original URI. The HTTP method must not change. RFC 9110
308	3xx	Permanent Redirect The request and all future requests should be repeated using another URI. The HTTP method must not change. RFC 9110
400	4xx	Bad Request The server cannot or will not process the request due to an apparent client error (e.g. malformed syntax). RFC 9110
401	4xx	Unauthorized Authentication is required and has failed or has not yet been provided. RFC 9110
402	4xx	Payment Required Reserved for future use. Originally intended for digital cash or micropayment systems. RFC 9110
403	4xx	Forbidden The request was valid, but the server is refusing action. The user might not have the necessary permissions. RFC 9110
404	4xx	Not Found The requested resource could not be found but may be available in the future. RFC 9110
405	4xx	Method Not Allowed A request method is not supported for the requested resource. RFC 9110
406	4xx	Not Acceptable The requested resource is capable of generating only content not acceptable according to the Accept headers sent in the request. RFC 9110
407	4xx	Proxy Authentication Required The client must first authenticate itself with the proxy. RFC 9110
408	4xx	Request Timeout The server timed out waiting for the request. RFC 9110
409	4xx	Conflict The request could not be processed because of conflict in the current state of the resource. RFC 9110
410	4xx	Gone The resource requested is no longer available and will not be available again. RFC 9110
411	4xx	Length Required The request did not specify the length of its content, which is required by the requested resource. RFC 9110
412	4xx	Precondition Failed The server does not meet one of the preconditions specified in the request headers. RFC 9110
413	4xx	Content Too Large The request is larger than the server is willing or able to process. Previously "Payload Too Large". RFC 9110
414	4xx	URI Too Long The URI provided was too long for the server to process. RFC 9110
415	4xx	Unsupported Media Type The request entity has a media type which the server or resource does not support. RFC 9110
416	4xx	Range Not Satisfiable The client has asked for a portion of the file, but the server cannot supply that portion. RFC 9110
417	4xx	Expectation Failed The server cannot meet the requirements of the Expect request-header field. RFC 9110
418	4xx	I'm a teapot Any attempt to brew coffee with a teapot should result in the error code "418 I'm a teapot". An April Fools' joke from 1998. RFC 2324
421	4xx	Misdirected Request The request was directed at a server that is not able to produce a response. RFC 9110
422	4xx	Unprocessable Content The request was well-formed but was unable to be followed due to semantic errors. RFC 9110
423	4xx	Locked The resource that is being accessed is locked. RFC 4918
424	4xx	Failed Dependency The request failed because it depended on another request and that request failed. RFC 4918
425	4xx	Too Early Indicates that the server is unwilling to risk processing a request that might be replayed. RFC 8470
426	4xx	Upgrade Required The client should switch to a different protocol such as TLS/1.3. RFC 9110
428	4xx	Precondition Required The origin server requires the request to be conditional. RFC 6585
429	4xx	Too Many Requests The user has sent too many requests in a given amount of time. Used for rate limiting. RFC 6585
431	4xx	Request Header Fields Too Large The server is unwilling to process the request because its header fields are too large. RFC 6585
451	4xx	Unavailable For Legal Reasons A server operator has received a legal demand to deny access to a resource or to a set of resources that includes the requested resource. RFC 7725
500	5xx	Internal Server Error A generic error message, given when an unexpected condition was encountered and no more specific message is suitable. RFC 9110
501	5xx	Not Implemented The server either does not recognize the request method, or it lacks the ability to fulfill the request. RFC 9110
502	5xx	Bad Gateway The server was acting as a gateway or proxy and received an invalid response from the upstream server. RFC 9110
503	5xx	Service Unavailable The server is currently unavailable (because it is overloaded or down for maintenance). RFC 9110
504	5xx	Gateway Timeout The server was acting as a gateway or proxy and did not receive a timely response from the upstream server. RFC 9110
505	5xx	HTTP Version Not Supported The server does not support the HTTP protocol version used in the request. RFC 9110
506	5xx	Variant Also Negotiates Transparent content negotiation for the request results in a circular reference. RFC 2295
507	5xx	Insufficient Storage The server is unable to store the representation needed to complete the request. RFC 4918
508	5xx	Loop Detected The server detected an infinite loop while processing the request. RFC 5842
510	5xx	Not Extended Further extensions to the request are required for the server to fulfill it. RFC 2774
511	5xx	Network Authentication Required The client needs to authenticate to gain network access. RFC 6585

61 of 61 status codes

How the five HTTP status code classes work

Every HTTP response starts with a three-digit status code defined in RFC 9110. The first digit tells you which of five classes the response belongs to — and once you've internalised the classes, most codes make immediate sense without a lookup.

1xx — Informational. The server has received your request and is telling you to hang on. You rarely see these in application code; they matter for WebSocket upgrades (101) and streaming uploads (100).
2xx — Success. The request was received, understood, and processed. 200, 201, and 204 are the ones that matter for most APIs.
3xx — Redirection. The resource lives somewhere else. The client is expected to make another request to the new location.
4xx — Client error. The request is broken in some way that the client should be able to fix. This is where authorization, validation, and missing-resource errors live.
5xx — Server error. The server understood the request but failed to complete it. Unlike 4xx, these are usually not the client's fault.

The rule of thumb when debugging: 4xx means "you did something wrong", 5xx means "we did something wrong". If you're on the server side reading logs, 5xx is what pages you at 2 AM — 4xx rarely does.

The status codes you'll actually use

Out of the 60+ codes defined across RFC 9110 and related specs, a short list covers almost every real-world interaction:

200 OK — the request succeeded and the response has a body.
201 Created — a POST that successfully created a new resource. Include a Location header pointing to it.
204 No Content — success, but there's nothing to send back. Typical for DELETE and some PUT responses.
301 Moved Permanently and 308 Permanent Redirect — the resource lives at a new URL forever. 308 preserves the request method (POST stays POST); 301 is historically allowed to switch POST to GET.
302 Found and 307 Temporary Redirect — a temporary redirect. 307 preserves method; 302 is historically allowed to switch POST to GET.
304 Not Modified — the client's cached copy is still valid. Sent in response to a conditional GET with If-Modified-Since or If-None-Match.
400 Bad Request — the request is syntactically broken or has invalid fields. Validation errors typically return 400 with a body describing what failed.
401 Unauthorized — the client is not authenticated. Better named "Unauthenticated".
403 Forbidden — the client is authenticated but not allowed to access this resource.
404 Not Found — the resource doesn't exist, or the server doesn't want to admit it exists.
409 Conflict — the request conflicts with the current state. Typical for concurrent edits (optimistic locking failures).
422 Unprocessable Content — the request is syntactically correct but semantically invalid. Common in APIs for field-level validation errors.
429 Too Many Requests — rate-limited. Should include a Retry-After header.
500 Internal Server Error — the catch-all for "something broke and we don't know what".
502 Bad Gateway — the server got an invalid response from an upstream service. Very common when a load balancer can't reach a backend.
503 Service Unavailable — the server is temporarily overloaded or down for maintenance. Should include Retry-After.
504 Gateway Timeout — the server waited on an upstream service and gave up.

The pairs that trip people up

401 vs 403

The single most mis-used pair. The rule: 401 means "we don't know who you are"; 403 means "we know who you are and the answer is still no". If a logged-out user hits a protected endpoint, return 401. If a logged-in user hits an endpoint they lack permissions for, return 403.

301 vs 308 (and 302 vs 307)

The numbered pair difference is about request method. 301 and 302 are historical — they were defined before HTTP/1.1 clarified behaviour, and many clients rewrite POST to GET on these. 307 and 308 were added specifically to preserve the original method. If you're redirecting a POST and want it to stay a POST, use 307 (temporary) or 308 (permanent). For a GET, any of the four work.

400 vs 422

400 is for requests the server cannot parse at all (malformed JSON, missing required headers, bad URL). 422 is for requests the server parsed successfully but rejected on content grounds (email already taken, date in the past, password too short). Many APIs use 400 for both; strictly, 422 is the right one for validation.

502 vs 503 vs 504

All three are server-side failures but mean different things to oncall. 502 means the upstream returned garbage (process crashed mid-response, protocol mismatch). 503 means the server is up but intentionally refusing traffic (overloaded, maintenance). 504 means the server waited on the upstream past its deadline.

The weird ones

A handful of status codes exist mostly as trivia, but a few are genuinely useful in niche situations:

418 I'm a teapot — defined as an April Fool's joke in RFC 2324 (the Hyper Text Coffee Pot Control Protocol). Not part of HTTP proper. Some libraries and sites use it as a novelty "we're not serving you" code, which is exactly what an HTCPCP-compliant teapot would do.
451 Unavailable For Legal Reasons — reference to Ray Bradbury's Fahrenheit 451. Used when content is blocked by legal order (court injunction, GDPR takedown, DMCA). Should include a Link header pointing to information about the block.
425 Too Early — used with TLS 1.3 early data (0-RTT). If the server can't safely process a replay-able request, it returns 425 so the client retries without early data.
226 IM Used — for delta encoding, basically unused in modern HTTP.
509 Bandwidth Limit Exceeded — not in any RFC, but widely used by shared hosting providers.

Debugging workflow

When an API call returns an unexpected status code, the fastest diagnostic path is:

Read the first digit. 4xx means the request is broken; 5xx means the server is broken. This tells you whose logs to look at first.
Check the response body. Most modern APIs return a JSON error object with a code, message, and sometimes a trace_id. The body is usually more informative than the status code alone.
Check specific headers. Retry-After on 429/503 tells you when to try again. WWW-Authenticate on 401 tells you which auth scheme the server expects. Location on 3xx tells you where to go next.
Reproduce with curl -i. The -i flag prints response headers, which often contain the clue you need. -v prints the full request too.

Related HTTP & network tools

URL Parser — decode a URL into scheme, host, path, query, and fragment.
URL Encode / Decode — percent-encoding for query strings and path segments.
MIME Type Lookup — for the Content-Type header values you can never remember.
JWT Decoder — inspect the bearer token from your Authorization header.
Base64 — decode basic-auth headers and data-URL payloads.

Frequently Asked Questions

What does HTTP 200 mean?

HTTP 200 OK means the request succeeded. The exact meaning depends on the request method: for GET it means the requested resource is returned in the body, for POST it means the action was completed, and for DELETE it means the resource was removed.

What's the difference between 301 and 302?

301 Moved Permanently tells clients and search engines to update their links — the new location is permanent. 302 Found is a temporary redirect — clients should keep using the original URL for future requests. Use 301 for permanent moves and 302 for short-term redirects.

When should I return 401 vs 403?

401 Unauthorized means the client needs to authenticate (or their credentials are invalid). 403 Forbidden means the client is authenticated but doesn't have permission for this specific resource. Rough rule: 401 = "who are you?", 403 = "I know who you are and the answer is no."

What is the difference between 301 and 308 redirects?

Both are permanent redirects, but 308 preserves the request method while 301 is historically allowed to rewrite POST to GET. If you need a permanent redirect that must keep a POST as a POST (to avoid breaking form submissions), use 308. For GETs either works; 301 is better supported by older clients and SEO tooling.

When should I use 400 vs 422?

400 Bad Request is for requests the server cannot parse — malformed JSON, missing required headers, invalid URLs. 422 Unprocessable Content is for requests that parsed correctly but failed semantic validation — an email that is already taken, a password too short, a date in the past. Many APIs collapse both into 400; 422 is the strictly-correct choice for field-level validation errors.

What does HTTP 418 I'm a teapot mean?

It's a joke status code defined in RFC 2324, the Hyper Text Coffee Pot Control Protocol — an April Fool's Day RFC from 1998. It is not part of the real HTTP specification and no real HTTP server is required to implement it. Some libraries and sites use it as a novelty refusal code, but you should not return it in production APIs.

What's the difference between 502, 503, and 504?

All three are server-side failures. 502 Bad Gateway means an upstream service returned an invalid response (process crash, protocol mismatch). 503 Service Unavailable means the server is intentionally refusing traffic (overloaded, maintenance — should include a Retry-After header). 504 Gateway Timeout means the server waited on an upstream and gave up.

Related Tools

JWT Decoder

Paste a JWT to decode and inspect its header, payload, and signature — free, private, nothing leaves your browser.

URL Parser

Paste any URL to break it down into protocol, host, path, query parameters, and fragment — free and browser-based.

MIME Type Lookup

Bidirectional reference — find the MIME type for any file extension, or the extensions for any MIME type.