Which HTTP status code to say username or password were incorrect?

http authorization http-status-codes
Nodari Lipartiya picture Nodari Lipartiya · Sep 29, 2014 · Viewed 21.4k times · Source

I am implementing a simple registation/login module.

While testing user credentials, I start thinking which HTTP status code will be appropriate, for the situation if a user send a request with incorrect credentials.

At first, I thought 401 Unauthorized would be a nice status code, but it seems it will be better to use it when a user is trying to get some resource without authorisation.

After, I switched to 409 Conflict

This code is only allowed in situations where it is expected that the user might be able to resolve the conflict and resubmit the request.

So, friends, please give me an advise, which status code should be used.

Answer

Julian Reschke picture Julian Reschke · Sep 29, 2014

If you use HTTP authentication as defined by RFC 7235, 401 would be correct (for missing or incorrect credentials).

Otherwise, use 403.

Related questions

How to define the basic HTTP authentication using cURL correctly?

I'm learning Apigility (Apigility docu -> REST Service Tutorial) and trying to send a POST request with basic authentication via cURL: $ curl -X POST -i -H "Content-Type: application/hal+json" -H "Authorization: Basic YXBpdXNlcjphcGlwd2Q=" http://apigilityhw.sandbox.loc/…

Read More
How to get http headers in flask?

I am newbie to python and using Python Flask and generating REST API service. I want to check authorization header which is sent the client. But I can't find way to get HTTP header in flask. Any help for getting …

Read More
Custom HTTP Authorization Header

I was wondering if it's acceptable to put custom data in an HTTP authorization header. We're designing a RESTful API and we may need a way to specify a custom method of authorization. As an example, let's call it FIRE-TOKEN …

Read More