Every time you call an API, the server replies with a number. That number tells you what happened. Did it work? Did you mess up? Did the server crash? The status code answers all of that in three digits.
| Range | Category | Meaning | Your Reaction |
|---|---|---|---|
| 1xx | Informational | Request received, processing | Rare — you'll almost never test these |
| 2xx | Success | Request worked | Happy path — this is what you want |
| 3xx | Redirection | Go look somewhere else | URL changed — follow the redirect |
| 4xx | Client Error | YOU messed up | Bad request, missing auth, wrong URL |
| 5xx | Server Error | SERVER messed up | Bug in backend — file it immediately |
| Code | Name | When It Happens | Example |
|---|---|---|---|
| 200 | OK | Request succeeded | GET /users/1 returns the user |
| 201 | Created | New resource created | POST /users creates a new user |
| 204 | No Content | Success but nothing to return | DELETE /users/1 — deleted, nothing to show |
| 301 | Moved Permanently | URL changed forever | Old API version redirects to new one |
| 400 | Bad Request | Your request is malformed | Missing required field in POST body |
| 401 | Unauthorized | No credentials or invalid token | Calling API without login token |
| 403 | Forbidden | Authenticated but not allowed | Regular user hitting admin endpoint |
| 404 | Not Found | Resource doesn't exist | GET /users/99999 — no such user |
| 405 | Method Not Allowed | Wrong HTTP method | Sending DELETE to a read-only endpoint |
| 409 | Conflict | Request conflicts with current state | Creating a user with duplicate email |
| 422 | Unprocessable Entity | Data format is right but values are wrong | Email field has "not-an-email" |
| 429 | Too Many Requests | Rate limit exceeded | Sending 1000 requests in 1 minute |
| 500 | Internal Server Error | Server crashed | Unhandled exception in backend code |
| 502 | Bad Gateway | Upstream server failed | Database is down |
| 503 | Service Unavailable | Server is overloaded or in maintenance | During deployment |
A common bug: API returns 200 OK with an error message in the body. Example: status 200, body: { "error": "User not found" }. This is WRONG. It should return 404. As a tester, always verify that the status code matches the actual result. Don't just check the body.
Memory trick for interviews. 2xx = all good. 4xx = YOUR fault (client error). 5xx = THEIR fault (server error). If you remember nothing else, remember this.
Q: What is the difference between 401 and 403?
A: 401 means the server doesn't know who you are — no credentials were sent or they're invalid. 403 means the server knows who you are but you don't have permission. Example: calling an API without a token gives 401. Calling an admin API with a regular user token gives 403. The fix for 401 is authentication. The fix for 403 is authorization.
Q: What status code should a POST endpoint return on success?
A: 201 Created — it means a new resource was successfully created. Some APIs return 200 OK, which technically works but isn't semantically correct. A well-designed API returns 201 with the created resource in the body and a Location header pointing to the new resource's URL.
Key Point: 2xx = success, 4xx = client error, 5xx = server error. Always verify the status code matches the actual outcome.