What are HTTP status codes?

HTTP status codes are three-digit numbers that a server sends in response to a client's request. They indicate whether the request was successful, if there was a client error, or if there was a server error. Status codes are grouped into five classes: 1xx (informational), 2xx (success), 3xx (redirection), 4xx (client error), and 5xx (server error).

What is the difference between 401 and 403?

401 Unauthorized means the client must authenticate first — the request lacks valid authentication credentials. 403 Forbidden means the server understands the request but refuses to authorize it — the client is authenticated but does not have permission to access the resource.

When should I use 404 vs 400?

404 Not Found means the server cannot find the requested resource — it may not exist or the URL may be wrong. 400 Bad Request means the server cannot process the request because it is malformed — for example, missing required fields, invalid data types, or incorrect request format.

What is the difference between 200 and 201?

200 OK is the standard success response for a request that was processed successfully. 201 Created is returned when a new resource was successfully created — typically in response to a POST request. The 201 response usually includes a Location header pointing to the newly created resource.

When should APIs return 429?

429 Too Many Requests is returned when a client has sent too many requests in a given time period and is being rate-limited. The response should include a Retry-After header indicating how long the client should wait before retrying.

What is the difference between 500 and 503?

500 Internal Server Error means the server encountered an unexpected condition that prevented it from fulfilling the request — a generic server-side error. 503 Service Unavailable means the server is temporarily unable to handle the request, usually due to being overloaded or down for maintenance.

Can I use this tool to choose status codes for mock APIs?

Yes. When designing mock API response profiles in MockFlow, this explorer helps you choose the right status code for each scenario — 200 for success, 201 for creation, 400 for bad input, 401 for unauthorized, 403 for forbidden, 404 for not found, 422 for validation errors, 429 for rate limits, and 500 for server errors.

← Back to Tools

HTTP Status Code Explorer

Search status codes and understand common API responses.

100 Continue

1xx Informational

The server received the initial request headers and is ready for the request body.

Common usage: Large upload begins only after the server confirms it can continue.

101 Switching Protocols

1xx Informational

The server accepts changing to a different protocol requested by the client.

Common usage: HTTP connection upgrades to WebSocket for real-time events.

200 OK

2xx Success

The request succeeded and the server returned the expected response.

Common usage: GET /users/123 returns a user object successfully.

201 Created

2xx Success

A new resource was created as a result of the request.

Common usage: POST /users creates a user and returns its id.

202 Accepted

2xx Success

The request was accepted for processing, but work has not completed yet.

Common usage: Export job is queued and will finish asynchronously.

204 No Content

2xx Success

The request succeeded, but there is no response body to return.

Common usage: DELETE /users/123 succeeds without returning JSON.

301 Moved Permanently

3xx Redirection

The resource has a permanent new URL and clients should update links.

Common usage: Old endpoint permanently redirects to a new versioned endpoint.

302 Found

3xx Redirection

The resource is temporarily available at a different URL.

Common usage: Temporary redirect to a maintenance or login route.

304 Not Modified

3xx Redirection

Cached content is still valid, so the server does not resend the full response.

Common usage: Client sends If-None-Match and keeps existing cached payload.

400 Bad Request

4xx Client Error

The request is malformed or fails validation rules.

Common usage: JSON payload misses required fields or has invalid types.

401 Unauthorized

4xx Client Error

Authentication is required or the provided credentials are invalid.

Common usage: Request is missing a bearer token or token is expired.

403 Forbidden

4xx Client Error

The client is authenticated but does not have permission for this action.

Common usage: Regular user attempts an admin-only operation.

404 Not Found

4xx Client Error

The requested resource could not be found.

Common usage: GET /projects/999 returns no matching project.

405 Method Not Allowed

4xx Client Error

The endpoint exists but does not support the HTTP method used.

Common usage: POST sent to a route that only allows GET.

409 Conflict

4xx Client Error

The request conflicts with the current state of the resource.

Common usage: Attempting to create a user with an email that already exists.

422 Unprocessable Content

4xx Client Error

The request format is valid, but semantic validation failed.

Common usage: Date range is logically invalid even though JSON is valid.

429 Too Many Requests

4xx Client Error

The client exceeded the allowed request rate limit.

Common usage: Too many login attempts in a short time period.

500 Internal Server Error

5xx Server Error

An unexpected server-side error occurred while processing the request.

Common usage: Unhandled exception in the API handler.

501 Not Implemented

5xx Server Error

The server does not support the functionality required for this request.

Common usage: Endpoint exists in docs but is not implemented yet.

502 Bad Gateway

5xx Server Error

A gateway/proxy received an invalid response from an upstream server.

Common usage: API gateway cannot get a valid response from a microservice.

503 Service Unavailable

5xx Server Error

The server is temporarily unable to handle the request.

Common usage: Service is down for maintenance or overloaded.

504 Gateway Timeout

5xx Server Error

A gateway/proxy did not receive a timely response from upstream.

Common usage: Upstream service timed out before responding.

Common choices for mock APIs

200 for success

201 for create

400 for invalid request

401 for missing authentication

403 for no permission

404 for missing resource

429 for rate limit

500 for server error

HTTP Status Code Explorer for API Testing

Explore HTTP status codes, their meanings, and when to use them in API design and testing. Useful for frontend developers choosing how to handle responses, QA testers simulating error states, and anyone building or testing REST APIs.

HTTP status code categories

1xx — Informational: The request was received and the server is continuing to process it. Rarely encountered by most developers. Includes 100 Continue and 101 Switching Protocols.
2xx — Success: The request was successfully received, understood, and accepted. Common codes: 200 OK, 201 Created, 202 Accepted, 204 No Content. These are the responses your frontend should handle as success states.
3xx — Redirection: Further action is needed to complete the request. Common codes: 301 Moved Permanently, 302 Found, 304 Not Modified. These are often handled automatically by HTTP clients.
4xx — Client Error: The request contains bad syntax or cannot be fulfilled by the server due to a client-side issue. Common codes: 400 Bad Request, 401 Unauthorized, 403 Forbidden, 404 Not Found, 422 Unprocessable Entity, 429 Too Many Requests. Your frontend must handle these gracefully.
5xx — Server Error: The server failed to fulfill a valid request. Common codes: 500 Internal Server Error, 502 Bad Gateway, 503 Service Unavailable, 504 Gateway Timeout. Your frontend should display appropriate error messages and retry logic for these cases.

Most important HTTP status codes for API testing

Code	Name	When to use
200	OK	Standard success response for GET, PUT, PATCH, DELETE
201	Created	A new resource was successfully created (POST)
204	No Content	Success with no response body (DELETE, some PUT)
400	Bad Request	Client sent invalid or malformed data
401	Unauthorized	Authentication required or token is missing/invalid
403	Forbidden	Authenticated but not permitted to access the resource
404	Not Found	Resource does not exist
422	Unprocessable Entity	Validation errors — request format is correct but content is invalid
429	Too Many Requests	Client is being rate-limited
500	Internal Server Error	Unexpected server-side failure
503	Service Unavailable	Server is temporarily unavailable or overloaded

Using HTTP status codes in mock APIs

When you create a mock API in MockFlow, each response profile requires a status code. Choosing the right status code makes your mock API realistic and lets your frontend handle different scenarios correctly.

Common mock API response profiles and their status codes:

Success state — 200 OK or 201 Created
Empty state — 200 OK with empty array or 204 No Content
Validation error — 400 Bad Request or 422 Unprocessable Entity
Unauthorized — 401 Unauthorized
Forbidden — 403 Forbidden
Not found — 404 Not Found
Rate limited — 429 Too Many Requests
Server error — 500 Internal Server Error or 503 Service Unavailable

Related tools

JSON Formatter & Validator — format and validate JSON response bodies for each status code.
JWT Decoder — inspect JWT tokens for debugging 401 and 403 responses.
Show Your IP — find your IP for API allowlist configuration and debugging blocked requests.

Related guides

Frequently asked questions

What are HTTP status codes?: HTTP status codes are three-digit numbers that a server sends in response to a client's request. They indicate whether the request was successful, if there was a client error, or if there was a server error. Status codes are grouped into five classes: 1xx (informational), 2xx (success), 3xx (redirection), 4xx (client error), and 5xx (server error).
What is the difference between 401 and 403?: 401 Unauthorized means the client must authenticate first — the request lacks valid authentication credentials. 403 Forbidden means the server understands the request but refuses to authorize it — the client is authenticated but does not have permission to access the resource.
When should I use 404 vs 400?: 404 Not Found means the server cannot find the requested resource — it may not exist or the URL may be wrong. 400 Bad Request means the server cannot process the request because it is malformed — for example, missing required fields, invalid data types, or incorrect request format.
What is the difference between 200 and 201?: 200 OK is the standard success response for a request that was processed successfully. 201 Created is returned when a new resource was successfully created — typically in response to a POST request. The 201 response usually includes a Location header pointing to the newly created resource.
When should APIs return 429?: 429 Too Many Requests is returned when a client has sent too many requests in a given time period and is being rate-limited. The response should include a Retry-After header indicating how long the client should wait before retrying.
What is the difference between 500 and 503?: 500 Internal Server Error means the server encountered an unexpected condition that prevented it from fulfilling the request — a generic server-side error. 503 Service Unavailable means the server is temporarily unable to handle the request, usually due to being overloaded or down for maintenance.
Can I use this tool to choose status codes for mock APIs?: Yes. When designing mock API response profiles in MockFlow, this explorer helps you choose the right status code for each scenario — 200 for success, 201 for creation, 400 for bad input, 401 for unauthorized, 403 for forbidden, 404 for not found, 422 for validation errors, 429 for rate limits, and 500 for server errors.