The Shack Developer Tips How to Read and Debug HTTP Status Codes

How to Read and Debug HTTP Status Codes

Developer Tips December 15, 2025 6 min read
Back to All Posts

HTTP status codes are the server's way of communicating exactly what happened with your request. A three-digit number tells you whether it succeeded, redirected, failed on your end, or failed on the server's end. Once you know the pattern, they become your first and fastest debugging tool when working with APIs and web applications.

The DevToolShack HTTP Status Codes reference has every code with its meaning and common use cases — a quick lookup when you encounter something unfamiliar.

The Five Classes

The first digit of every status code tells you which category it falls into — this alone gets you 80% of the way to diagnosing a problem:

ClassRangeMeaning
1xx100–199Informational — request received, processing continues
2xx200–299Success — request was received, understood, and accepted
3xx300–399Redirection — further action needed to complete the request
4xx400–499Client error — the request has a problem on your end
5xx500–599Server error — the server failed to fulfil a valid request
Quick mental model: 4xx means you did something wrong (bad request, not authenticated, not found). 5xx means the server did something wrong. This distinction immediately tells you where to look when debugging.

The Codes You'll See Every Day

2xx — Success

CodeNameWhen You'll See It
200OKStandard successful response for GET, POST, PUT requests
201CreatedResource was created — the correct response for a successful POST that creates a new record
204No ContentSuccess but no body to return — correct for DELETE requests and some PUTs
206Partial ContentRange request fulfilled — used for streaming video and resumable downloads

3xx — Redirects

CodeNameWhen You'll See It
301Moved PermanentlyURL has permanently moved — browsers and search engines update their records
302FoundTemporary redirect — don't update bookmarks or SEO signals
304Not ModifiedCached version is still valid — browser uses its local copy
307Temporary RedirectLike 302 but guarantees the HTTP method is preserved (POST stays POST)
308Permanent RedirectLike 301 but preserves HTTP method — use this instead of 301 for API endpoints

4xx — Client Errors

CodeNameTypical Cause
400Bad RequestMalformed request syntax, invalid parameters, missing required fields
401UnauthorizedAuthentication required or token invalid/expired
403ForbiddenAuthenticated but not allowed — wrong permissions, not just not logged in
404Not FoundResource doesn't exist at this URL
405Method Not AllowedWrong HTTP method — POST to a GET-only endpoint
409ConflictResource state conflict — duplicate record, version mismatch
410GoneResource existed but has been permanently deleted
422Unprocessable EntityRequest is well-formed but fails validation — used heavily in REST APIs
429Too Many RequestsRate limit hit — check the Retry-After header

5xx — Server Errors

CodeNameTypical Cause
500Internal Server ErrorGeneric server crash — check server logs for the real error
502Bad GatewayProxy/load balancer got an invalid response from the upstream server
503Service UnavailableServer overloaded or down for maintenance
504Gateway TimeoutUpstream server didn't respond in time — often a slow database query

The 401 vs 403 Confusion

These two are frequently mixed up, even by experienced developers:

  • 401 Unauthorized — means "you haven't proven who you are yet." Send credentials. Despite the name, it's really an authentication error.
  • 403 Forbidden — means "I know who you are, but you're not allowed to do this." An authorization error. Sending credentials again won't help.

Using the cURL Generator to Test Status Codes

When debugging API issues, testing the raw request with cURL eliminates browser, CORS, and JavaScript variables. The cURL Generator builds the command for you — paste in your endpoint, headers, and body, and get a cURL command ready to run:

# Test an API endpoint and show response headers
curl -i -X GET https://api.example.com/users \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Accept: application/json"

# The -i flag shows response headers including the status code
# HTTP/2 200
# content-type: application/json
Bookmark the reference: The HTTP Status Codes tool is a searchable reference with every code, its RFC definition, and common use cases. Much faster than Googling "what is 422" mid-debug session.

Choosing the Right Code for Your API

When building APIs, using the right status code matters — it's part of your contract with API consumers:

  • Return 201 (not 200) when a resource is created
  • Return 204 (not 200) for successful deletes with no body
  • Return 422 for validation failures, not 400 (400 is for malformed syntax)
  • Return 409 for conflicts like duplicate records, not 400
  • Always include a Retry-After header with 429 responses
  • Never return 200 with an error in the body — that breaks every HTTP client
HTTP API Developer Tools Free Tools cURL

Related Articles

Developer Tips
How to Use cURL: A Beginner's Guide With Command Generator
7 min read
Developer Tips
URL Encoding Explained: Why Your URLs Break and How to Fix Them
6 min read
Developer Tips
How to Check SSL Certificates Online (And What to Look For)
6 min read