Status codes are the API's body language. Using them wrong confuses every client; reading them right speeds up all debugging.
The families
- 2xx โ success: 200 OK ยท 201 Created (after POST) ยท 204 No Content (after DELETE)
- 3xx โ redirects: 301 moved permanently (SEO juice transfers) ยท 302 temporary ยท 304 not modified (cache hit)
- 4xx โ YOUR request is wrong: 400 bad input ยท 401 who are you? (no/invalid auth) ยท 403 I know you, you're not allowed ยท 404 not found ยท 409 conflict ยท 429 slow down (rate limit)
- 5xx โ THE SERVER broke: 500 unhandled crash ยท 502 bad gateway (upstream died) ยท 503 overloaded/maintenance
The interview trap: 401 vs 403
401 Unauthenticated โ missing/invalid credentials, "please log in". 403 Forbidden โ valid login, insufficient permission, "you can't do that". Naming this cleanly is a mini flex.
Debugging heuristic
4xx โ check your request (URL, body, headers, token). 5xx โ check the server logs. This one habit halves debugging time.