Q5 of 37 · API testing

What is the difference between status codes 200, 201, 204, 400, 401, 403, 404, and 500?

API testingJuniorapihttpstatus-codesfundamentals

Short answer

Short answer: 2xx = success: 200 OK with body, 201 Created, 204 No Content. 4xx = client error: 400 Bad Request (validation), 401 Unauthorised (no/bad credentials), 403 Forbidden (authenticated but not allowed), 404 Not Found. 5xx = server error: 500 Internal Server Error.

Detail

Status codes communicate the outcome at the protocol layer. Tests assert on them; misinterpreting them is a common bug source.

2xx — success:

  • 200 OK — generic success with a response body. GET /users/42 returning the user.
  • 201 Created — resource was created. The response should typically include the new resource and a Location header pointing at it.
  • 204 No Content — success, but no response body. Common for DELETE and idempotent updates that don't need to return anything.

4xx — client error (the caller did something wrong):

  • 400 Bad Request — the request itself is malformed. Validation failures (missing required field, wrong type) live here. Typically returns an error body explaining what's wrong.
  • 401 Unauthorised — no credentials supplied or credentials are invalid. The client should authenticate and retry.
  • 403 Forbidden — credentials are valid but the user is not allowed to perform this action. Authentication was fine; authorisation failed.
  • 404 Not Found — the resource doesn't exist (or the URL doesn't match a route). Don't conflate with 401 — 404 says "this thing isn't here," not "you can't see it."

5xx — server error (the server is broken):

  • 500 Internal Server Error — generic "the server crashed or threw an unhandled exception." Tests should fail loudly on these.
  • Other common 5xx: 502 Bad Gateway (upstream broken), 503 Service Unavailable (temporary outage), 504 Gateway Timeout.

The 401 vs 403 trap (popular interview question):

  • 401 = "I don't know who you are."
  • 403 = "I know who you are, you can't do this."

Some APIs misuse them — returning 403 for missing auth tokens. When testing, assert the spec's code, not whatever the API happens to return.

The 404 / 410 nuance: 410 Gone explicitly says the resource existed and was permanently removed; 404 says it isn't here (no claim about history). Most APIs use 404 for both; specs that distinguish them are usually doing so deliberately.

// MODEL ANSWER

I think about status codes in three bands. Two-xx means the server did what you asked: 200 is generic success with a body, 201 means a resource was created and the response should include its location, 204 is success with no body — typical for DELETE. Four-xx means the client did something wrong: 400 is a malformed or invalid request, which is where validation failures belong; 401 means no credentials or bad credentials and the client needs to authenticate before retrying; 403 means the client is authenticated but not allowed to perform that action; 404 means the resource does not exist. Five-xx means the server broke: 500 is the generic unhandled exception code and tests should fail loudly whenever they see one. The 401 versus 403 distinction is the one most worth being crisp on. 401 says I do not know who you are. 403 says I know who you are and you cannot do this. Many APIs misuse them, but the spec is the source of truth — I always assert the documented code, not whatever the API happens to return.

// WHAT INTERVIEWERS LOOK FOR

Clear taxonomy (2xx/4xx/5xx), the 401 vs 403 distinction, awareness of 201 vs 200 for creation, and bonus knowledge of 410 Gone.

// COMMON PITFALL

Mixing 401 and 403 in tests — many APIs use them inconsistently, but the spec is the source of truth. Or asserting 200 when 201 is the documented response for create.

// Related questions

What is the difference between PUT and PATCH?

API testing

List the main HTTP methods and what each is used for.

API testing