Three digits, five classes, ~75 codes you might actually see. The leading digit tells you who’s responsible — informational, success, redirect, your fault, our fault. Once you know the class, you know what to do next.
The five classes, in one table
- 1xx Informational — Provisional. The server got your request and is continuing. Rarely seen at the application level.
- 2xx Success — Worked. Process the body and move on.
- 3xx Redirection — Resource is elsewhere. Follow the Location header.
- 4xx Client error — Your request is wrong somehow. Don’t retry without changing it.
- 5xx Server error — Server’s problem. Often transient — retry with exponential backoff.
2xx — the wins
- 200 OK — Generic success. The default.
- 201 Created — POST succeeded and created a new resource. Should include a Location header pointing at the new thing.
- 204 No Content — Success, but the body is empty. Common for DELETE responses.
- 206 Partial Content — Range request worked. Used by video streaming, resumable downloads.
3xx — “look elsewhere”
- 301 Moved Permanently vs 308 Permanent Redirect — Both say “use this URL forever.” 308 explicitly preserves the HTTP method; 301 historically may rewrite POST → GET. Prefer 308 for APIs.
- 302 Found vs 307 Temporary Redirect — Same distinction, but for “use this URL for now.” Prefer 307.
- 304 Not Modified — Cached version is still fresh. Server sent no body — your client should reuse what it has.
// TRY THE TOOL
SEARCH ALL CODES.
Searchable reference for every status code with class filters and Cloudflare-specific 5xx range.
OPEN →
4xx — your request is the problem
- 400 Bad Request — Server can’t parse what you sent. Usually JSON syntax error or missing required field.
- 401 Unauthorized — No credentials or invalid credentials. Misnamed; it means “not authenticated.”
- 403 Forbidden — You’re authenticated, but not allowed.
- 404 Not Found — Resource doesn’t exist (or the server isn’t admitting it does).
- 405 Method Not Allowed — Resource exists, but not for that HTTP method (e.g. POST to a GET-only endpoint).
- 409 Conflict — Edit conflict, duplicate entry, version mismatch.
- 422 Unprocessable Content — Syntactically fine but semantically wrong. APIs use this for validation errors (missing fields, out-of-range values).
- 429 Too Many Requests — Rate limited. Honor the Retry-After header. Backoff exponentially if it’s missing.
5xx — server’s problem
- 500 Internal Server Error — Generic crash. Logs are your friend.
- 502 Bad Gateway — Upstream returned malformed response. Origin probably crashed.
- 503 Service Unavailable — Server overloaded or down for maintenance. Should include Retry-After.
- 504 Gateway Timeout — Upstream took too long. Origin slow or unreachable.
- 520–526 — Cloudflare-specific. 521 = origin down. 522 = TCP timeout. 525 = TLS handshake failed. Check origin, not Cloudflare.
What to do with each class
- 2xx — Process the body.
- 3xx — Follow Location header. Most clients do this automatically.
- 4xx — Fix the request. Don’t retry without changes.
- 429 — Wait for Retry-After, then retry.
- 5xx — Retry with exponential backoff (1s, 2s, 4s, 8s…), give up after a few attempts.