When should I use 400 vs 422?
400 Bad Request for malformed input (bad JSON, missing required field). 422 Unprocessable Entity for semantic errors (valid format but invalid value, like a bad email). Many APIs use 400 for both; that is fine.
Verify This Answer
Cross-check this information using these trusted sources:
More FAQs in API Status Codes: When to Use Which
200 OK for GET and PATCH (generic success). 201 Created for POST (a new resource was created). 204 No Content for DELETE (success with no body). Use the right code so clients can branch on it.
401 Unauthorized means not authenticated (who are you? - no valid token). 403 Forbidden means authenticated but not allowed (you cannot do that - wrong role). Check auth first, then authorization.
404. If a resource exists but the user cannot see it, returning 403 leaks its existence. Returning 404 is safer for private resources. The client cannot tell whether it does not exist or they cannot see it.
Still have questions?
Browse all our FAQs or reach out to our support team
