What is the difference between 401 and 403?

401 Unauthorized means authentication is missing or failed, so the client should re-authenticate and must receive a WWW-Authenticate header. 403 Forbidden means the identity is known but lacks permission, so re-authenticating will not help.

When should I use 422 instead of 400?

Use 400 when the request is syntactically malformed, such as broken JSON. Use 422 Unprocessable Content when the syntax is valid but the data fails business or validation rules, like a missing required field value.

What headers must a 429 include?

A 429 Too Many Requests response should include a Retry-After header telling the client how long to wait before retrying. Many APIs also add rate-limit headers describing the remaining quota and reset time.

Is 404 the right code for an unauthorized resource?

Sometimes. To avoid revealing that a resource exists to users who cannot access it, APIs may return 404 instead of 403. This is a deliberate information-hiding choice rather than a true not-found.

What does 409 Conflict mean?

409 indicates the request conflicts with the current state of the resource, such as an edit conflict, a version mismatch, or violating a uniqueness constraint. The body should explain how to resolve the conflict.

HTTP 4xx Client Error Codes

Email me this result

Get this tool's output sent to your inbox, plus one useful tool a week. No spam, unsubscribe any time.

HTTP 4xx client error status codes

The 4xx class means the server believes the client got something wrong: the syntax, the credentials, the permissions, the target, or the rate. Returning the most precise 4xx code — and a clear, machine-readable error body — turns a frustrating failure into something a developer can fix in seconds. The difference between 400 and 422, or 401 and 403, is not pedantry; clients branch on these codes. Search the reference above by number, name, or symptom to find the right one.

How it works

When the server detects a client-side problem, it returns a 4xx code and should not retry the request unchanged (the exceptions are 408 Request Timeout and 429 Too Many Requests, which invite a retry). Several codes require specific headers to be valid: 401 needs WWW-Authenticate, 405 Method Not Allowed needs Allow, and 429 should carry Retry-After. A good REST API pairs the status code with a structured body — commonly an RFC 9457 Problem Details document with type, title, status, and detail fields — so clients can display a helpful message and developers can debug without guessing.

Tips and examples

Distinguish authentication from authorization: 401 (who are you?) versus 403 (you may not). Mixing them confuses clients and security audits.
Use 422 for validation failures and return a field-level error list so forms can highlight exactly what to fix.
On 429, always set Retry-After; well-behaved clients use it to back off instead of hammering your service.
Prefer 410 Gone over 404 for resources you have intentionally and permanently retired — it is clearer and more cache-friendly for crawlers.