HTTP Status Code Selection

HTTP status codes are a three-digit classification system that tells API consumers whether a request succeeded, failed due to client error, or failed due to a server-side issue. Selecting the right code is critical because automated clients, proxies, and CDNs make routing and retry decisions based on these codes. Using 200 for everything and embedding error information only in the body defeats the purpose of HTTP semantics and breaks standard middleware behavior.

The main categories are 2xx for success (200 OK, 201 Created, 202 Accepted, 204 No Content), 3xx for redirections, 4xx for client errors (400 Bad Request, 401 Unauthorized, 403 Forbidden, 404 Not Found, 409 Conflict, 422 Unprocessable Entity, 429 Too Many Requests), and 5xx for server errors (500 Internal Server Error, 502 Bad Gateway, 503 Service Unavailable). Each code carries specific semantics -- for example, 401 means the request lacks valid authentication credentials, while 403 means the authenticated user lacks permission.

Consistent status code usage enables clients to implement robust error-handling logic. A client can automatically retry on 503, prompt re-authentication on 401, and display validation errors on 422, all without parsing the response body first. Teams should document their status code usage in their API style guide and validate it in integration tests.