400 Bad Request: HTTP Status Code Meaning, Causes, and Fixes

What 400 Bad Request means

400 Bad Request is the catch-all client-error code. It means the request is malformed in a way that prevents the server from processing it: invalid JSON, missing required fields, type mismatches, oversized parameters, or any syntactic problem with the request itself. 400 is about the client sending bad data, not about authentication, permissions, or missing resources (those are 401, 403, 404 respectively).

When servers should return it: Return 400 when the request is syntactically invalid or contains data the server cannot parse. Use 422 instead when the request is well-formed but semantically invalid (e.g. business rule violation).

Common causes

Malformed JSON body (missing comma, unclosed bracket)
Required field missing from the request body
Wrong data type (sending a string where a number is expected)
Query parameter contains invalid characters
Request size exceeds a server-side limit
Content-Type header does not match the body format

How to fix 400 Bad Request

Validate JSON locally before sending: echo $BODY | jq .
Read the response body, most APIs include a specific error message
Check the API documentation for required fields
Verify Content-Type matches what you are sending
For binary uploads, use --data-binary, not -d

Example response

curl -i -X POST https://api.example.com/users \
  -H "Content-Type: application/json" \
  -d '{"name":}'

HTTP/2 400
content-type: application/json
{"error":"Invalid JSON","details":"Unexpected '}' at position 9"}

Related status codes

Frequently Asked Questions

How is 400 different from 422?

400 is for malformed requests (broken JSON, missing required fields). 422 is for well-formed requests that violate business rules (email already taken, age must be positive). The distinction is: can the server parse this at all?

How do I see the actual error?

Almost every API includes a JSON error body with details. Always read the body on 4xx, do not just look at the status code.

Can a 400 be retried?

No, not without changes. A 400 means the request itself is wrong. Retrying the same request will get the same 400.

More references

For a one-page reference of all HTTP status codes, see the HTTP cheat sheet. For testing API responses, try the API Tester tool. For inspecting responses on the command line, the curl cheat sheet covers the most common flags.