# HTTP response codes

# 400 level errors

# 400 Bad Request

General 400 error for malformed request syntax, invalid parameters, invalid content-type, etc. Sometimes a request's parameters may pass client side validation, but when evaluated against business logic they may no longer be valid. In these scenarios a response code of 400 is acceptable.

# 401 Unauthorized

The server is unable to identify the user for an endpoint that requires authentication. This could be an invalid or expired token, or failure to send a token. 401 should not be used for requests that include valid tokens that fail authorization. For those scenarios, prefer instead a 403.

UI code will use 401 responses to return the user to a login form or other means of re-authentication.

# 403 Forbidden

The server was able to successfully process the auth token (valid, not expired) but the user does not have permission to perform the action they are requesting.

In this scenario, the UI will not ask the user to re-authenticate and may instead communicate to the user that they do not have permission to perform the request. The UI may additionally allow the user to request the access needed.

Don't have access to route vs resource at this route, effect is the same

# 404 Not Found

Return a 404 when an endpoint or a singular resource doesn't exist (e.g. /user/1234). 404 should not be used in situations where a list is simply empty due to tight filter criteria or an unpopulated table.