Why I wrote this: In 2025 I integrated aijsons.com with twelve third-party APIs — payment gateways, analytics pipelines, CDN purge endpoints, email delivery services, and a handful of JSON-related SaaS tools. Every single integration hit at least one status code that wasn't documented in the vendor's API reference. Some returned 200 OK with an error buried in the JSON body. Some returned 401 when they meant 403. One CDN provider returned 500 for a rate limit that should have been 429. This article is the field guide I built across those twelve integrations: what each status code actually means at the HTTP wire level, how to debug it with tools you already have, and the real production stories that taught me each lesson the hard way.
The 2xx Trap: When 200 OK Means the Request Failed
HTTP 2xx codes signal that the server received, understood, and accepted the request. In a REST API, 200 OK should mean "your request succeeded." But in practice, many APIs treat HTTP as a transport layer and bury their real response semantics inside a JSON envelope.
The Envelope Anti-Pattern
Here is a real response I received from a payment provider's sandbox environment in early 2025:
HTTP/1.1 200 OK
Content-Type: application/json
{
"status": "error",
"error_code": "INSUFFICIENT_FUNDS",
"message": "The account does not have sufficient balance.",
"transaction_id": null
}The HTTP layer says success. The application layer says failure. If your integration only checks response.ok in JavaScript or response.status_code == 200 in Python, you will silently treat this as a successful transaction — and then wonder why the webhook never fires.
The fix: Always parse the response body before branching on status. In every aijsons.com integration, we use a two-level check:
async function apiCall(url, options) {
const res = await fetch(url, options);
const body = await res.json();
// Level 1: HTTP transport layer
if (!res.ok) {
throw new ApiError(res.status, body);
}
// Level 2: Application layer
if (body.status === 'error' || body.error) {
throw new ApiError(res.status, body, 'application_error');
}
return body;
}This pattern has caught envelope errors from Stripe, SendGrid, and two analytics APIs that all use 200 as their transport ack but signal failure in the payload.
201 Created: The Missing Location Header
201 Created means the server created a resource. RFC 7231 says the response should include a Location header pointing to the new resource. In practice, roughly 40% of the APIs I integrated omitted this header. The body contained the new resource ID, but extracting it required parsing a JSON field whose name varied across providers: id, resource_id, object_id, uuid, ref.
Defensive pattern: Check the Location header first; if absent, fall back to a configurable field map per API provider.
function extractResourceId(response, provider) {
const location = response.headers.get('Location');
if (location) {
const segments = location.split('/');
return segments[segments.length - 1];
}
const idFields = {
stripe: 'id',
sendgrid: 'id',
mailgun: 'message_id',
custom: 'resource_id'
};
const field = idFields[provider] || 'id';
return response.body[field];
}204 No Content: The Silent Success
204 No Content is the correct response for a successful DELETE or a PATCH that produces no response body. The problem: fetch() and axios both throw or return undefined when you call .json() on an empty body. If your code always expects JSON, a 204 will crash your pipeline.
// Wrong — crashes on 204
const data = await res.json();
// Right — guards against empty body
const text = await res.text();
const data = text ? JSON.parse(text) : null;3xx Redirects in API Context: Follow or Fail?
3xx codes are HTTP's way of saying "the resource moved." In a browser, the redirect happens transparently. In an API client, the behavior depends on your HTTP library and whether you should follow the redirect at all.
301 vs 302 vs 307 vs 308: A Quick Reference
| Code | Meaning | Method Change? | API Client Behavior |
|---|---|---|---|
| 301 | Moved Permanently | May change POST to GET | Update your base URL; do not rely on auto-follow for POST |
| 302 | Found (temporary) | May change POST to GET | Auto-follow for GET; manually handle POST |
| 307 | Temporary Redirect | Preserves method | Safe to auto-follow |
| 308 | Permanent Redirect | Preserves method | Update base URL; safe to auto-follow |
Real story: A CDN purge endpoint we integrated returned 301 after migrating their API from v1 to v2. Our Node.js axios client silently followed the redirect, but converted our POST to a GET — so the purge never executed, cached stale JSON stayed live for six hours, and users reported "data not updating." The fix: detect 301 on POST endpoints, log a warning, and update the configured base URL.
4xx: The Client Error Spectrum
4xx means the server believes the client made a mistake. That belief isn't always correct — but the status code gives you a starting point for debugging.
400 Bad Request: The Garbage In, Garbage Out Code
400 is the most generic 4xx code. It means "your request is malformed, but I won't tell you how." In well-designed APIs, the response body includes a structured error. In poorly-designed APIs, you get a blank 400 with no clues.
Common causes we've hit at aijsons.com:
- Invalid JSON in the request body — missing comma, trailing comma, unquoted keys. Validate with our JSON Validator before sending.
- Wrong Content-Type header — sending
application/jsonwhen the endpoint expectsapplication/x-www-form-urlencoded. - Missing required fields — the API's schema validation rejects the payload but the error message is buried in a nested JSON field.
- Date format mismatch — sending
2026-06-06when the API expects ISO 8601 with timezone:2026-06-06T00:00:00Z.
# Always log the full response body on 400 — it's your only clue
curl -v -X POST https://api.example.com/v1/resource \
-H "Content-Type: application/json" \
-d '{"name":"test"}' 2>&1 | tee debug.log401 vs 403: The Distinction That Trips Everyone
This is the most commonly confused pair in HTTP. The distinction is precise and important:
| 401 Unauthorized | 403 Forbidden | |
|---|---|---|
| Meaning | You haven't proven who you are | I know who you are, but you can't do that |
| Cause | Missing, expired, or invalid credentials | Valid credentials, insufficient permissions |
| Recovery | Re-authenticate — refresh token, re-login | Check permissions — you can't fix this client-side |
| Retry? | Yes — after getting fresh credentials | No — same credentials will fail again |
Real story — Stripe webhook signature verification: Our Stripe webhook handler returned 401 for every test event. The error message said "No signatures found matching the expected signature." We spent 30 minutes checking API keys before realizing the issue wasn't authentication — the webhook signing secret was correct, but we were reading the raw body incorrectly after a body-parser middleware had already consumed the stream. Stripe's SDK needs the raw request body, not the parsed JSON. This was a 400 (malformed verification input) disguised as a 401.
Real story — AWS S3 presigned URL: An S3 upload endpoint returned 403 Forbidden despite valid AWS credentials. The cause: the IAM policy allowed s3:PutObject but not s3:PutObjectAcl, and our client library was setting ACL headers by default. Valid identity, insufficient permission — a textbook 403. The fix was removing the ACL header from the upload request, not touching credentials.
Debugging heuristic: When you see 401, check your token. When you see 403, check your permissions — and don't waste time rotating keys.
404 Not Found: It's Not Always Missing
404 means the server can't find the requested resource. But in API integrations, 404 often masks other problems:
- Wrong base URL: the endpoint exists at
/v2/usersbut you're hitting/v1/users. - Missing trailing slash: some frameworks route
/api/resourceand/api/resource/differently. - ID format mismatch: you're passing an integer ID but the API expects a UUID string.
- Soft-deleted resource: the resource exists but the API returns 404 instead of 410 Gone.
Real story — SendGrid dynamic template: We spent 45 minutes debugging a 404 from SendGrid's /v3/templates/{template_id}/versions endpoint. The template ID was correct, the API key had full permissions, and the template existed in the dashboard. The problem: we were passing the template name (a human-readable string) instead of the template ID (a UUID). SendGrid's API returned 404 with a generic "not found" message that didn't distinguish between "this UUID doesn't exist" and "you didn't send a UUID."
405 Method Not Allowed: The Silent Router Failure
405 means the URL exists, but the HTTP method you used is not supported. The response must include an Allow header listing valid methods. Check it — it tells you whether you used the wrong verb or hit the wrong endpoint entirely.
409 Conflict: When State Machines Collide
409 signals a resource state conflict. Common in APIs with workflow states: you can't "ship" an order that hasn't been "paid," or "publish" a draft that hasn't been "reviewed." The response body should tell you the current state and the expected transition — but many APIs omit this and just return a generic conflict message.
422 Unprocessable Entity: The Semantic 400
422 (from WebDAV, adopted by REST APIs) means the server understands the request body but can't process it due to semantic errors. Unlike 400 (syntax error), 422 means the JSON is valid but the values are wrong: an email field contains a phone number, a date is in the past, a required relationship references a deleted resource.
Rails, Laravel, and FastAPI all use 422 for validation failures. If an API returns 422, the response body almost always contains field-level error details — parse them programmatically, don't just log the status code.
429 Too Many Requests: Rate Limiting Strategies That Actually Work
429 means you've exceeded the API's rate limit. The response should include:
Retry-Afterheader — seconds until you can retry (or an HTTP-date).X-RateLimit-Limit— your total allowance per window.X-RateLimit-Remaining— how many requests you have left.X-RateLimit-Reset— Unix timestamp when the window resets.
Real story — GitHub API rate limiting: Our JSON Formatter and JSON Validator tools use a "Load from URL" feature that fetches JSON from user-supplied URLs. When a user pasted a GitHub raw file URL, our server-side proxy hit GitHub's unauthenticated rate limit (60 requests/hour) within minutes. The fix: detect GitHub URLs and add a ?client_id=...&client_secret=... query string to bump the limit to 5,000 requests/hour.
Backoff strategies ranked by effectiveness:
- Fixed delay — wait N seconds, retry. Simplest, worst under load.
- Exponential backoff — wait 1s, 2s, 4s, 8s, 16s. Standard choice.
- Exponential backoff + jitter — add random delay to avoid thundering herd. Best for distributed systems.
- Retry-After header — follow the server's explicit instruction. Always prefer this when available.
async function fetchWithRetry(url, options, maxRetries = 3) {
for (let attempt = 0; attempt <= maxRetries; attempt++) {
const res = await fetch(url, options);
if (res.status !== 429) return res;
// Prefer server-specified delay
const retryAfter = res.headers.get('Retry-After');
const delay = retryAfter
? parseInt(retryAfter) * 1000
: Math.min(1000 * Math.pow(2, attempt) + Math.random() * 1000, 30000);
console.warn(`Rate limited. Retrying in ${delay}ms (attempt ${attempt + 1}/${maxRetries})`);
await new Promise(r => setTimeout(r, delay));
}
throw new Error('Max retries exceeded');
}5xx: Server Error Triage Framework
5xx codes mean the server failed. Your request was probably fine. But "probably" is not certainty — some APIs return 500 for malformed requests that should be 400.
500 Internal Server Error: The Null Pointer of HTTP
500 is the server's way of saying "something went wrong and I'm not going to tell you what." In practice, treat every 500 as a candidate for retry — but only after a delay. Retrying immediately against a broken server makes the outage worse for everyone.
Triage steps:
- Check the response body — some frameworks leak stack traces in 500 responses during development.
- Check the
X-Request-IdorX-Trace-Idheader — pass it to the API provider's support team. - Wait 5 seconds and retry once. If it fails again, back off for 30+ seconds.
- If the error persists for >2 minutes, check the provider's status page — this is likely their outage, not your bug.
502 Bad Gateway & 503 Service Unavailable: The Infrastructure Codes
502 means an upstream server (behind a proxy/gateway) returned an invalid response. 503 means the server is temporarily down (overloaded or under maintenance). Both typically include a Retry-After header.
Real story — Cloudflare API 502 cascade: During a CDN cache purge, our worker called Cloudflare's API and got 502. We retried immediately (bad), got 502 again, retried again — and triggered Cloudflare's rate limiter, which returned 429 on top of the existing 502. Three lessons: (1) always check Retry-After before retrying 502/503, (2) implement circuit breakers that stop retries after N consecutive failures, (3) log the Cf-Ray header — Cloudflare support needs it for tracing.
504 Gateway Timeout: The Long-Running Request Killer
504 means the upstream server didn't respond within the proxy's timeout window. Common with report generation APIs, large file uploads, and batch processing endpoints. Solutions: (1) switch to async patterns — submit the job, get a 202 Accepted with a status endpoint, poll until complete; (2) increase the client timeout — but only if you control the proxy; (3) paginate the request — break it into smaller chunks.
RFC 9457: Problem Details for HTTP APIs
RFC 9457 (formerly RFC 7807) defines a standard JSON format for API error responses. When an API implements it, debugging becomes dramatically easier because every error has the same shape:
HTTP/1.1 422 Unprocessable Entity
Content-Type: application/problem+json
{
"type": "https://api.example.com/errors/validation-failed",
"title": "Validation Failed",
"status": 422,
"detail": "The 'email' field must be a valid email address.",
"instance": "/api/v1/users/12345",
"errors": [
{
"field": "email",
"message": "must be a valid email address",
"code": "invalid_format"
},
{
"field": "age",
"message": "must be a positive integer",
"code": "out_of_range"
}
]
}The key fields:
- type — a URI identifying the error type. Should resolve to human-readable documentation.
- title — a short, human-readable summary (same for all occurrences of this type).
- status — the HTTP status code (redundant but useful when errors are logged separately).
- detail — a human-readable explanation specific to this occurrence.
- instance — a URI identifying the specific request that caused the error.
How we use RFC 9457 at aijsons.com: Our internal API proxy validates every third-party response and normalizes non-standard errors into Problem Details format. This means our monitoring dashboard, alerting system, and debug logs all speak the same error language — regardless of whether the upstream API returned a Stripe-style error, a Cloudflare-style error, or raw HTML in a 500 response.
function normalizeError(status, body, provider) {
// If the provider already uses RFC 9457, pass through
if (body.type && body.title && body.status) return body;
// Normalize common patterns
return {
type: `https://www.aijsons.com/errors/${provider}-error`,
title: getTitleForStatus(status),
status: status,
detail: body.message || body.error || body.detail || 'Unknown error',
instance: body.request_id || body.trace_id || null,
provider: provider,
raw: body // Preserve original for debugging
};
}The 60-Second Decision Tree
When you see an HTTP status code during API debugging, run through this decision tree before opening a support ticket:
Status code received
│
├─ 2xx ── Parse body → Check for envelope errors → OK? Continue
│
├─ 3xx ── Is it POST/PATCH/DELETE? ── Yes → Manually follow (preserve method)
│ │ ── No → Auto-follow
│
├─ 4xx ── 400 → Check Content-Type, validate JSON, check required fields
│ │
│ ├─ 401 → Is token expired/missing? ── Yes → Refresh token, retry
│ │ ── No → Check auth header format
│ │
│ ├─ 403 → Don't retry with same credentials. Check permissions.
│ │
│ ├─ 404 → Check URL spelling, trailing slash, ID format (UUID vs int)
│ │
│ ├─ 409 → Read body for current state vs required state
│ │
│ ├─ 422 → Parse field-level errors from body. Fix and retry.
│ │
│ └─ 429 → Read Retry-After header. Exponential backoff + jitter.
│
└─ 5xx ── Retry-After header present? ── Yes → Wait, retry once
│ ── No → Wait 5s, retry once
│
└─ Still failing? → Check provider status page. Log request ID.Quick Reference Table
| Code | Name | Debugging Priority | Retry? |
|---|---|---|---|
| 200 | OK | Check body for envelope errors | N/A |
| 201 | Created | Check Location header | No (duplicate) |
| 204 | No Content | Don't parse body | No |
| 301/308 | Permanent Redirect | Update base URL | Follow once |
| 400 | Bad Request | Validate payload, Content-Type | After fixing |
| 401 | Unauthorized | Refresh token, check auth header | After re-auth |
| 403 | Forbidden | Check IAM/RBAC permissions | Do NOT retry |
| 404 | Not Found | Check URL, ID format, trailing slash | After confirming URL |
| 409 | Conflict | Check resource state, concurrent edits | After state change |
| 422 | Unprocessable | Fix field-level errors from body | After fixing |
| 429 | Too Many Requests | Read Retry-After, add jitter | After backoff |
| 500 | Internal Server Error | Log request ID, check status page | Once, after 5s |
| 502 | Bad Gateway | Upstream failure, check Retry-After | After delay |
| 503 | Service Unavailable | Server overloaded, check Retry-After | After delay |
| 504 | Gateway Timeout | Request too slow, switch to async | After reducing payload |
Building a Status Code Debugging Toolkit
After twelve integrations, here are the tools and patterns that saved the most time:
1. A Request/Response Logger
Log every API call with: method, URL, status code, response headers (X-Request-Id, Retry-After, rate limit headers), and a truncated response body. Structured logging (JSON) makes it searchable. At aijsons.com, we log all third-party API calls to a rotating file and use our JSON Formatter to pretty-print the logs during debugging sessions.
2. A Status Code Map
Maintain a per-provider mapping of status codes to recovery actions. Not all APIs use status codes correctly — your map documents the actual behavior, not the RFC ideal:
const providerBehavior = {
stripe: {
200: 'parse_and_validate',
401: 'refresh_api_key',
402: 'payment_required', // Stripe-specific
429: 'exponential_backoff_jitter'
},
sendgrid: {
200: 'parse_and_validate',
202: 'async_pending', // SendGrid uses 202 for queued mail
401: 'refresh_api_key',
429: 'retry_after_header' // SendGrid's Retry-After is reliable
}
};3. A Curl Debugging Template
When an integration fails and you need to reproduce the issue independently of your code, use this verbose curl template:
curl -v -X POST "https://api.example.com/v1/endpoint" \
-H "Authorization: Bearer $API_KEY" \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
-d @payload.json \
-w "\nHTTP Status: %{http_code}\nTime: %{time_total}s\n" \
-o response.json \
2>&1 | tee debug-$(date +%Y%m%d-%H%M%S).logThe -w flag outputs timing data; -o response.json saves the body separately so it doesn't pollute the debug log; tee writes to both stdout and a timestamped file.
4. A Circuit Breaker
For any API call that happens in a hot path, wrap it in a circuit breaker that opens after N consecutive failures and stays open for a cooldown period. This prevents cascading failures and gives the upstream service time to recover:
class CircuitBreaker {
constructor(threshold = 5, cooldownMs = 30000) {
this.failures = 0;
this.threshold = threshold;
this.cooldownMs = cooldownMs;
this.openUntil = 0;
}
async call(fn) {
if (Date.now() < this.openUntil) {
throw new Error('Circuit breaker open');
}
try {
const result = await fn();
this.failures = 0;
return result;
} catch (err) {
this.failures++;
if (this.failures >= this.threshold) {
this.openUntil = Date.now() + this.cooldownMs;
console.error(`Circuit breaker opened for ${this.cooldownMs}ms`);
}
throw err;
}
}
}Key Takeaways
- Never trust 200 OK alone. Parse the response body and check for application-layer error envelopes. The HTTP status code is a transport signal, not a business-logic signal.
- 401 vs 403: authentication vs authorization. 401 means "who are you?" — refresh your token. 403 means "I know who you are, but no" — check permissions, don't retry.
- 429 is a negotiation, not a rejection. Read
Retry-After, implement exponential backoff with jitter, and never hammer a rate-limited endpoint. - 5xx errors are usually not your fault. Retry once with a delay, then escalate. Log the
X-Request-Idheader for support tickets. - RFC 9457 Problem Details is the closest thing we have to a universal error format. When building APIs, implement it. When consuming APIs, normalize errors into it.
- Treat every integration as a learning dataset. After twelve integrations, the pattern is clear: every API has at least one status code quirk. Document it in a provider behavior map so the next developer doesn't rediscover it at 2 AM.