HTTP status codes are three-digit numbers returned by a web server in the response to every client request. They are defined by the HTTP specification (RFC 9110) and tell the client whether the request succeeded, was redirected, contained an error, or caused a server failure. Understanding these codes is essential for debugging APIs, building reliable web applications, interpreting server logs, and setting up proper error handling.
1xx (Informational): The server received the request and is continuing to process it. These are interim responses. The most common is 101 Switching Protocols, which you see during WebSocket upgrades, and 103 Early Hints, used for preloading resources.
2xx (Success): The request was received, understood, and accepted. 200 OK is the standard success response. 201 Created confirms a new resource was created (typical after a POST). 204 No Content means success with no response body (common for DELETE).
3xx (Redirection): The client needs to take additional action to complete the request, usually following a redirect. The key distinction is between 301 (permanent, search engines transfer SEO) and 302/307 (temporary, search engines keep the original URL).
4xx (Client Error): The request contains an error on the client side. 400 Bad Request means malformed syntax. 401 Unauthorized means missing or invalid authentication. 403 Forbidden means the server understood the request but refuses to authorize it. 404 Not Found means the resource does not exist. 429 Too Many Requests means you are being rate-limited.
5xx (Server Error): The server failed to fulfill a valid request. 500 Internal Server Error is a generic catch-all. 502 Bad Gateway means a proxy or load balancer received an invalid response from an upstream server. 503 Service Unavailable means the server is temporarily overloaded or down for maintenance.
200, 201, 204: The success trio. Know which one to return for each HTTP method.
301 vs 302 vs 307: Permanent vs temporary redirects. Getting this wrong can hurt SEO or break form submissions.
400, 401, 403, 404: The client error essentials. Use the right one: 401 means "who are you?" and 403 means "I know who you are, but you are not allowed."
429: Rate limiting. When you receive this, check the Retry-After header and implement exponential backoff.
500, 502, 503: Server errors. As a client, retry with backoff. As a server operator, check logs immediately.
When an API returns an unexpected status code, check these things in order: (1) Is the URL correct, including trailing slashes? (2) Is the HTTP method correct (GET vs POST vs PUT)? (3) Is the Content-Type header set correctly? (4) Is the authentication token valid and not expired? (5) Are you hitting a rate limit? The "How to Fix" column in the table above gives specific guidance for each code.
Use your browser's developer tools (Network tab) or a tool like the API Request Tester to inspect the full response, including headers. Status codes alone often do not tell the full story; the response body usually contains a more specific error message.
Test API endpoints directly with the API Request Tester. Decode authentication tokens with the JWT Decoder. Build properly encoded URLs with the URL Encoder. For a comprehensive list of free APIs to practice with, see 30+ Free APIs for Developers in 2026.
This is a static reference page. Everything runs in your browser. No data is sent anywhere.