HTTP Status Codes
Every status code explained - when to use it and what it means.
The request headers are OK; client should send the body.
Server is switching protocols (e.g. to WebSocket).
Standard success response.
Resource was created. Include a Location header.
Request accepted but not yet processed.
Success with no body - common after PUT/DELETE.
Range request was honoured.
Permanent redirect - search engines update the index.
Temporary redirect - keep the original URL.
Used after POST to redirect to a GET resource.
Cached version is still valid; reuse it.
Like 302 but the method must not change.
Like 301 but the method must not change.
Malformed request - fix the client.
Authentication is required or has failed.
Reserved for future use; some APIs use it for paid tiers.
Authenticated but not allowed.
Resource does not exist.
Endpoint exists but doesn't accept this verb.
Server can't produce a response matching Accept headers.
Client took too long to send the request.
Request conflicts with current resource state (e.g. duplicate).
Resource is permanently removed - stronger than 404.
Content-Length header is missing.
If-Match / If-None-Match condition failed.
Request body exceeds server limit.
URL exceeds server limit.
Server doesn't accept the request's Content-Type.
An April Fools' joke from 1998 - kept alive ever since.
Validation failed - request was syntactically OK.
Reject replays of early data.
Server requires conditional headers.
Rate limit exceeded - back off.
Headers exceed server limit.
Blocked due to a legal demand.
Generic server crash - check logs.
Server doesn't support this functionality.
Upstream server returned an invalid response.
Server is overloaded or down for maintenance.
Upstream server didn't respond in time.
Server doesn't support the HTTP version.
Server is out of disk space.
Server detected an infinite loop while processing.
Captive portal - log in to the network first.
44 of 44 codes
About this tool
Searchable reference of every HTTP status code from 100 Continue to 511 Network Authentication Required, with category badges (1xx Informational, 2xx Success, 3xx Redirection, 4xx Client Error, 5xx Server Error) and short explanations of when each is appropriate.
Useful for designing a clean API, debugging a misbehaving server, choosing the right error code, or reading a request log. Includes the famous 418 'I'm a teapot'. Runs in your browser.
HTTP status codes are grouped into five families: 1xx informational, 2xx success, 3xx redirect, 4xx client error, 5xx server error. The right code communicates intent to clients, caches, search engines and monitoring tools - returning 200 OK for an error page hides bugs from monitoring, while 404 vs 410 changes how Google treats the URL long-term.
Features
- Every standard 1xx through 5xx code
- Color-coded category badges
- Search by number, name or description
- Includes 418 'I'm a teapot'
- Notes on common confusion (301 vs 302, 401 vs 403)
- Browser-only - runs locally
- Free and unlimited
How to use it
- Search by number (e.g. 404) or by keyword (e.g. 'redirect', 'auth').
- Read the matching codes and short explanations.
Everything happens inside your browser using JavaScript and WebAssembly. Your files are never uploaded to a server, never stored, and never seen by us.
Frequently asked questions
301 is permanent - search engines update their index and the browser remembers the redirect. 302 is temporary - the browser keeps using the original URL for future requests. Use 301 for moved-permanently, 302 for short-lived redirects.
401 Unauthorized means 'you need to authenticate' (no credentials, or wrong credentials). 403 Forbidden means 'I know who you are and you can't do this'. Authentication vs authorization.
400 Bad Request is for malformed syntax (broken JSON, missing required field). 422 Unprocessable Entity is for valid syntax but semantically wrong (e.g. email already exists, age is negative).
418 'I'm a teapot' was defined as a joke in RFC 2324 (1998) and re-confirmed in RFC 7168. It's been implemented by many servers and is real (if not very useful) HTTP.
401 Unauthorized means 'you need to authenticate' - the client should retry with credentials. 403 Forbidden means 'you are authenticated but not allowed' - retrying with the same identity will not help. Mixing them is a common API mistake that confuses client libraries.
Almost never. Status codes are how HTTP clients, browsers, CDNs and monitoring tools decide what happened. Returning 200 for failures breaks retries, hides errors from observability, and confuses caching. Use 4xx for client errors and 5xx for server errors, even in JSON APIs.