Status codes are behavior contracts, not decoration. Clients automate around them.
Question
Which HTTP status codes should my API team standardize to keep client behavior predictable?
Quick answer
Use this baseline:
200/201for successful resource operations,400for client request shape errors,401/403for auth and permission boundaries,404for missing resources,409for state conflicts,429for rate policy enforcement,5xxonly for server-side fault.
Contract checks
- Return the same code for the same failure class every time.
- Keep error payload schema stable across endpoints.
- Never hide server faults behind
200with error text in body.
Predictable codes reduce client branching complexity fast.
Common failure pattern
Teams use 500 as a catch-all and lose observability into real error classes.
Baseline status mapping
| Scenario | Code |
|---|---|
| Valid read/update succeeded | 200 |
| Resource created | 201 |
| Request shape invalid | 400 |
| Missing/invalid auth | 401 |
| Authenticated but forbidden | 403 |
| Resource not found | 404 |
| State conflict | 409 |
| Rate policy hit | 429 |
| Server fault | 5xx |
Keep this mapping stable across services and your client complexity drops fast.
10-minute action step
- Pick one high-traffic endpoint and one failure mode.
- Define the exact API contract behavior you expect under load.
- Simulate burst traffic and verify status codes, headers, and retry guidance.
- Document one contract invariant and enforce it in automated tests.
Success signal
Your team can predict failure behavior from the contract without checking production logs.
