What is the appropriate HTTP status code response for a general unsuccessful request (not an error)?

http rest http-status-codes
66,065

Solution 1

You should use 400 for business rules. Don't return 2xx if the order was not accepted. HTTP is an application protocol, never forget that. If you return 2xx the client can assume the order was accepted, regardless of any information you send in the body.

From RESTful Web Services Cookbook:

One common mistake that some web services make is to return a status code that reflects success (status codes from 200 to 206 and from 300 to 307) but include a message body that describes an error condition. Doing this prevents HTTP-aware software from detecting errors. For example, a cache will store it as successful response and serve it to subsequent clients even when clients may be able to make a successful request.

I'll leave it to you to decide between 4xx and 5xx, but you should use an error status code.

Solution 2

You should use 4xx for a client error if the client can modify the request to get around the error. Use a 5xx for a server error that the client can't really work around.

Product sold out would be a server error. The client can't modify the request in some fashion to get around the error. You could switch to another product but wouldn't that be a new request?

User maximum order limit reached is also a server error. Nothing the client can do to work around that error.

Credit card transaction failure would be a client error. The client could resubmit the request with a different payment method or credit card number to work around the error.

Solution 3

Error type:

4×× Client Error

Error code:

422 Unprocessable Entity

The server understands the content type of the request entity (hence a 415 Unsupported Media Type status code is inappropriate), and the syntax of the request entity is correct (thus a 400 Bad Request status code is inappropriate) but was unable to process the contained instructions.

For example, this error condition may occur if an XML request body contains well-formed (i.e., syntactically correct), but semantically erroneous, XML instructions.

https://httpstatuses.com/422

Solution 4

I know this question is old, but I came up with the very same question today. If my user runs out of credits, what status code should my REST API return?

I tend to lean towards 402 Payment Required:

According to Wikipedia:

Reserved for future use. The original intention was that this code might be used as part of some form of digital cash or micropayment scheme, but that has not happened, and this code is not usually used. Google Developers API uses this status if a particular developer has exceeded the daily limit on requests.

And indeed they do:

PAYMENT_REQUIRED (402)

  • A daily budget limit set by the developer has been reached.
  • The requested operation requires more resources than the quota allows. Payment is required to complete the operation.
  • The requested operation requires some kind of payment from the authenticated user.

Solution 5

How about 424 Failed Dependency? The spec describes it as:

The method could not be performed on the resource because the requested action depended on another action and that action failed.

But there is also this definition:

Status code 424 is defined in the WebDAV standard and is for a case where the client needs to change what it is doing - the server isn't experiencing any problem here.

You can tell the client (or pretend) that you have internal actions which are supposed to create the order, and deduct the balance, and that one of those actions failed, albeit for perfectly valid reasons, and that's why the request failed.

As far as I can see, "action" is quite a broad term, and can be used in a variety of situations, including insufficient stock, insufficient credit, or warehouse party night.

Another option might be 422 Unprocessable Entity:

The server understands the content type of the request entity (hence a 415 Unsupported Media Type status code is inappropriate), and the syntax of the request entity is correct (thus a 400 Bad Request status code is inappropriate) but was unable to process the contained instructions.

For example, this error condition may occur if an XML request body contains well-formed (i.e., syntactically correct), but semantically erroneous, XML instructions.

Trying to request an item which is out of stock, or when you have insufficient credit, might be considered a mistake at the semantic level.

MozDev says this indicates a mistake on the client side, specifically: The client should not repeat this request without modification.

Loopback 4 uses 422 when input validation fails.

Arguably, insufficient stock or warehouse party night could be considered temporary states, so the request could be retried again later. That situation can be indicated by 503 Service Unavailable

The server is currently unable to handle the request due to a temporary overload or scheduled maintenance, which will likely be alleviated after some delay.

The server MAY send a Retry-After header field to suggest an appropriate amount of time for the client to wait before retrying the request.

Share:
66,065
Raelshark
Author by

Raelshark

Senior web software developer working in Virginia Beach, VA.

Updated on July 02, 2020

Comments

  • Raelshark
    Raelshark almost 4 years

    I'm creating a RESTful API that will process a number of user interactions, including placing orders using stored credit cards.

    In the case of a successful order, I'm returning a 200 OK, and in the case where the order request is malformed or invalid I'm returning a 400 Bad Request. But what should I return if there is a problem during the actual processing of the order?

    1. Client POSTS order to server for a user resource. If user does not exist, 404 Not Found is returned.
    2. Order format and information is validated. If not valid, 400 Bad Request is returned.
    3. Order is processed. If the order is successful, a 201 Created is returned for the order. If an unexpected error is encountered, a 500 Server Error is returned.

    The last step is the problem - what do I return if the order doesn't complete for any other reason? Possible scenarios could include:

    • Product is sold out
    • User maximum order limit reached
    • Credit card transaction failure (insufficient funds, etc.)

    This doesn't seem like it would be appropriate for either a 400 or 500. If anything I could see it as a 400 if there's no better code - the request was invalid according to the business rules. It just doesn't seem accurate.

    Edit: Also found this existing discussion of the same topic. All of the answers there seem to point to using status codes for this type of violation, with some discussion between using 400, 409, or the 422 extension.

  • Raelshark
    Raelshark about 12 years
    Do you have any examples or references for this approach versus the other? Both your and Widor's answers make sense, one from the perspective of HTTP as an application protocol, and the other as it being strictly for the purpose of the transfer. The spec defines it as an "application-level protocol", which is a little vague. I've also seen both perspectives and examples around the web when researching this.
  • carlin.scott
    carlin.scott over 8 years
    If the order limit is reached, shouldn't the client alert the user to that and let them change their request appropriately? That seems like a 4xx error. Same goes for the product being sold out. 5xx errors are intended for errors that are caused by the system breaking down in some way, not for an action that's disallowed by a business rule.
  • Zero3
    Zero3 over 7 years
    While the name of status code 406 might sound accurate by itself, you need to be aware that each status code has an authoritative textual description. The description for status code 406 is not suitable for the case at hand. See httpstatuses.com/406, for example.
  • Merc
    Merc about 7 years
    I agree with the comment above. 5xx errors are for when the server has problems. 4xx errors for business rules.
  • Young Hyun Yoo
    Young Hyun Yoo over 6 years
    this is so true.
  • Gregor
    Gregor about 6 years
    @Zero3 is right, this code means the response type is not acceptable, as there is a mismatch between the Accept Headers sent from the client and the MediaType(s) sent by the endpoint, e.g. application/json vs. text/plain
  • Yawar
    Yawar almost 6 years
    Do you mean, 'You should use 4xx for business rules'?
  • GTodorov
    GTodorov over 4 years
    None of those relate to a payment. I'm going with 402 from the previous answer!
  • GTodorov
    GTodorov over 4 years
    This is the most well thought and logical answer.
  • rubens
    rubens about 3 years
    I am assuming we are discussing HTTP status code in the context of a RESTful HTTP service. I read Dr. Fielding's dissertations a few times. One of my interpretations of Dr. Fielding's thesis was that REST is a set of guidelines that helped shape/architect the web. And in the web I don't see 400's being returned for business rules errors. Therefore, I am inclined to use 200's for business rules, and the HTTP response body elaborates on the business error. Now this would be different for request parameter validation where the parameter is clearly invalid as per contract -- that is a 400.
  • iwat0qs
    iwat0qs about 2 years
    I'm also curios about the topic, since according to the HTTP spec, 400 means that request is beyond repairing and must not be repeated. The uses cases that OP has presented are not like that. The request is valid, and can be repeated.
  • iwat0qs
    iwat0qs about 2 years
    As I mentioned in my other comment, I'm also curious about the topic, but the reasoning that this is a client problem doesn't solve it for me. 400 means the request is invalid beyond repairing, according to the HTTP spec. There's no sense in retrying it again. But for all of the use-cases that OP has mentioned, the request is worth repeating without any changes. Items can be restocked, limits can be reset, and transactions can be retried. Insufficient funds in neither a client's nor a server's problem.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

HTTP 200 or 404 for empty list?
Correct HTTP status code when resource is available but not accessible because of permissions
Correct HTTP status code for login form?
HTTP statuscode to retry same request
Authorization in RESTful HTTP API, 401 WWW-Authenticate
HTTP Status Code for External Dependency Error
HTTP status code for unaccepted Content-Type in request
HTTP status code for "no data available" from an external datasource
When is it appropriate to respond with a HTTP 412 error?
Convention for HTTP response header to notify clients of deprecated API