What is the appropriate HTTP status code response for a general unsuccessful request (not an error)?

http rest http-status-codes
Raelshark picture Raelshark · Feb 21, 2012 · Viewed 53.9k times · Source

I'm creating a RESTful API that will process a number of user interactions, including placing orders using stored credit cards.

In the case of a successful order, I'm returning a 200 OK, and in the case where the order request is malformed or invalid I'm returning a 400 Bad Request. But what should I return if there is a problem during the actual processing of the order?

  1. Client POSTS order to server for a user resource. If user does not exist, 404 Not Found is returned.
  2. Order format and information is validated. If not valid, 400 Bad Request is returned.
  3. Order is processed. If the order is successful, a 201 Created is returned for the order. If an unexpected error is encountered, a 500 Server Error is returned.

The last step is the problem - what do I return if the order doesn't complete for any other reason? Possible scenarios could include:

  • Product is sold out
  • User maximum order limit reached
  • Credit card transaction failure (insufficient funds, etc.)

This doesn't seem like it would be appropriate for either a 400 or 500. If anything I could see it as a 400 if there's no better code - the request was invalid according to the business rules. It just doesn't seem accurate.

Edit: Also found this existing discussion of the same topic. All of the answers there seem to point to using status codes for this type of violation, with some discussion between using 400, 409, or the 422 extension.

Answer

Max Toro picture Max Toro · Feb 21, 2012

You should use 400 for business rules. Don't return 2xx if the order was not accepted. HTTP is an application protocol, never forget that. If you return 2xx the client can assume the order was accepted, regardless of any information you send in the body.

From RESTful Web Services Cookbook:

One common mistake that some web services make is to return a status code that reflects success (status codes from 200 to 206 and from 300 to 307) but include a message body that describes an error condition. Doing this prevents HTTP-aware software from detecting errors. For example, a cache will store it as successful response and serve it to subsequent clients even when clients may be able to make a successful request.

I'll leave it to you to decide between 4xx and 5xx, but you should use an error status code.

Related questions

REST HTTP status codes for failed validation or invalid duplicate

I am building an application with a REST-based API and have come to the point where I am specifying status codes for each requests. What status code should i send for requests failing validation or where a request is trying …

Read More
HTTP response code for POST when resource already exists

I'm building a server that allows clients to store objects. Those objects are fully constructed at client side, complete with object IDs that are permanent for the whole lifetime of the object. I have defined the API so that clients …

Read More
HTTP status code for "no data available" from an external datasource

Scenario: A POST request is sent to process an order that will result in data retrieval from an external datasource. There are three possible results: The datasource returned data for the request No data was available for the request (this …

Read More