What is the difference between 403 Forbidden and 401 Unauthorized?

A 401 means the request lacks valid authentication credentials -- the server doesn't know who you are. A 403 means the server knows who you are (you may be authenticated) but you don't have permission to access the resource. In short: 401 = 'who are you?', 403 = 'I know you, but no.'

When should I use 301 vs 302 redirect?

Use 301 Moved Permanently when the resource has permanently moved to a new URL and all future requests should use the new URL. Search engines transfer ranking to the new URL. Use 302 Found (or 307) for temporary redirects where the original URL will be valid again later, like during maintenance or A/B testing.

HTTP Status Codes

Q: What is the 418 I'm a Teapot status code?

HTTP 418 was defined in RFC 2324 as an April Fools' joke in 1998 as part of the Hyper Text Coffee Pot Control Protocol. The server refuses to brew coffee because it is, permanently, a teapot. While not a real standard, many HTTP libraries include it and some APIs use it as an Easter egg.

Quick reference for every HTTP status code. Search by number or keyword, click to expand details.

HTTP Status Code Categories

HTTP status codes are three-digit numbers returned by a server in response to a client request. They are grouped into five categories:

1xx Informational -- The request was received and the server is continuing to process it.
2xx Success -- The request was successfully received, understood, and accepted.
3xx Redirection -- Further action is needed to complete the request, usually following a different URL.
4xx Client Error -- The request contains an error on the client side, such as bad syntax or an unauthorized request.
5xx Server Error -- The server failed to fulfill a valid request due to an internal problem.

Most Common HTTP Errors and How to Fix Them

400 Bad Request

Check your request syntax, headers, and body. Validate JSON payloads and ensure Content-Type headers match the data format.

401 Unauthorized

Provide valid authentication credentials. Check that your API key, token, or session cookie is correct and not expired.

403 Forbidden

You are authenticated but lack permission. Verify your role, file permissions on the server, or CORS configuration.

404 Not Found

Double-check the URL. Look for typos, trailing slashes, or changed endpoints. Set up redirects for moved pages.

500 Internal Server Error

Check server logs for the actual error. Common causes: unhandled exceptions, database connection failures, or misconfigured environment variables.

502 Bad Gateway

The reverse proxy or load balancer received an invalid response from the upstream server. Check that the upstream service is running and healthy.

503 Service Unavailable

The server is temporarily overloaded or under maintenance. Implement retry logic with exponential backoff on the client side.

API Status Code Best Practices

Use 200 for successful GET/PUT/PATCH, 201 for successful POST that creates a resource, and 204 for successful DELETE with no response body.
Use 400 for validation errors with a descriptive JSON body explaining what went wrong.
Use 401 when authentication is missing or invalid, and 403 when the user is authenticated but lacks the required role or scope.
Use 404 for missing resources and 409 for conflicts such as duplicate entries.
Use 422 for semantically invalid input that is syntactically correct.
Use 429 with a Retry-After header to communicate rate limits.
Reserve 500 for truly unexpected server errors. Never intentionally return 500.

Frequently Asked Questions

What does a 403 vs 401 mean?

A 401 Unauthorized means the request lacks valid authentication -- the server does not know who you are. A 403 Forbidden means the server knows your identity but you do not have permission to access that resource. Think of 401 as "please log in" and 403 as "access denied."

When should I use 301 vs 302?

Use 301 Moved Permanently when a resource has permanently moved and you want search engines and clients to update their references to the new URL. Use 302 Found for temporary redirects where the original URL will be valid again. For modern APIs, prefer 308 (permanent) and 307 (temporary) as they preserve the HTTP method.

What is a 418 status code?

HTTP 418 "I'm a Teapot" was an April Fools' joke from RFC 2324 (1998) defining the Hyper Text Coffee Pot Control Protocol. The server refuses to brew coffee because it is a teapot. It is not a real standard, but it lives on as a beloved Easter egg in many HTTP libraries and APIs.