Cheat sheet · No. I
HTTP status codes.
Every HTTP response carries a three-digit verdict, and the first digit tells the whole story: 1 wait, 2 done, 3 look elsewhere, 4 you got it wrong, 5 we got it wrong.
The reference
1xx INFO
- 100
- Continue. "I read your headers, send the body."
- 101
- Switching Protocols. WebSocket upgrade.
- 103
- Early Hints. Push assets before the response is ready.
2xx SUCCESS
- 200
- OK. The default for a successful GET/POST response.
- 201
- Created. After a POST that made something.
- 204
- No Content. Success, nothing to return.
- 206
- Partial Content. Range request answered.
3xx REDIRECT
- 301
- Permanent. Cached forever; old URL is dead.
- 302
- Found. Temporary; browser may change method.
- 304
- Not Modified. Conditional GET hit cache.
- 307/308
- Modern temporary/permanent (no method change).
4xx CLIENT
- 400
- Bad Request. Malformed.
- 401
- Unauthorized. Not authenticated.
- 403
- Forbidden. Authenticated but not allowed.
- 404
- Not Found.
- 409
- Conflict. State-collision (e.g. concurrent edit).
- 422
- Unprocessable. Well-formed, semantically wrong.
- 429
- Too Many Requests. Rate-limited.
5xx SERVER
- 500
- Internal Server Error. Generic crash.
- 502
- Bad Gateway. Upstream returned an error.
- 503
- Service Unavailable. Overloaded / maintenance.
- 504
- Gateway Timeout. Upstream never replied.
Field notes
The blame line
4xx means the request was wrong — do not retry it unchanged. 5xx means the server failed — a retry with backoff may help.
401 vs 403
401 is "who are you?" (not authenticated). 403 is "I know you, and no" (authenticated but not allowed).
Use the modern redirects
Prefer 307/308 over 302/301 for APIs — they preserve the method and body. The old codes let clients silently turn a POST into a GET.
Rate limits
429 should ship a Retry-After header. Clients that honour it are what keep you alive under load.