What s an appropriate HTTP status code to return by a REST API service for a validation failure

Question

I m currently returning 401 Unauthorized whenever I encounter a validation failure in my Django Piston based REST API application   Having had a look at the HTTP Status Code Registry  I m not convinced that this is an appropriate code for a validation failure  what do y all recommend       400       Bad Request  401       Unauthorized  403       Forbidden  405       Method Not Allowed  406       Not Acceptable  412       Precondition Failed  417       Expectation Failed  422       Unprocessable Entity  424       Failed Dependency      Update   Validation failure  above means an application level data validation failure  i e   incorrectly specified datetime  bogus email address etc

User · Answer

What exactly do you mean by  validation failure   What are you validating  Are you referring to something like a syntax error  e g  malformed XML    If that s the case  I d say 400 Bad Request is probably the right thing  but without knowing what it is you re  validating   it s impossible to say

User · Answer

There s a little bit more information about the semantics of these errors in RFC 2616  which documents HTTP 1 1   Personally  I would probably use 400 Bad Request  but this is just my personal opinion without any factual support

User · Answer

If  validation failure  means that there is some client error in the request  then use HTTP 400  Bad Request    For instance if the URI is supposed to have an ISO-8601 date and you find that it s in the wrong format or refers to February 31st  then you would return an HTTP 400   Ditto if you expect well-formed XML in an entity body and it fails to parse    1 2016   Over the last five years WebDAV s more specific HTTP 422  Unprocessable Entity  has become a very reasonable alternative to HTTP 400   See for instance its use in JSON API  But do note that HTTP 422 has not made it into HTTP 1 1  RFC-7231   Richardson and Ruby s RESTful Web Services contains a very helpful appendix on when to use the various HTTP response codes   They say      400     Bad Request       Importance  High    This is the generic client-side error status  used when no other 4xx error code is appropriate  It   s commonly used when the client submits a representation along with a   PUT or POST request  and the representation is in the right format  but it doesn   t make   any sense   p  381    and      401     Unauthorized       Importance  High    The client tried to operate on a protected resource without providing the proper authentication credentials  It may have provided the wrong credentials  or none at all    The credentials may be a username and password  an API key  or an authentication   token   whatever the service in question is expecting  It   s common for a client to make   a request for a URI and accept a 401 just so it knows what kind of credentials to send   and in what format

User · Answer

Here it is    rfc2616 section-10 4 1 - 400 Bad Request     The request could not be understood by the server due to malformed    syntax  The client SHOULD NOT repeat the request without modifications    rfc7231 section-6 5 1 - 6 5 1   400 Bad Request     The 400  Bad Request  status code indicates that the server cannot    or    will not process the request due to something that is perceived   to be    a client error  e g   malformed request syntax  invalid request    message framing  or deceptive request routing     Refers to malformed  not wellformed  cases   rfc4918 - 11 2   422 Unprocessable Entity     The 422  Unprocessable Entity  status code means the server   understands the content type of the request entity  hence a 415  Unsupported Media Type  status code is inappropriate   and the syntax of the request entity is correct  thus a 400  Bad Request  status code is inappropriate  but was unable to process the contained instructions   For example  this error condition may occur if an XML request body contains well-formed  i e   syntactically correct   but semantically erroneous  XML instructions    Conclusion  Rule of thumb     00 covers the most general case and cases that are not covered by designated code   422 fits best object validation error  precisely my recommendation   As for semantically erroneous - Think of something like  This username already exists  validation    400 is incorrectly used for object validation

User · Answer

From RFC 4918  and also documented at http   www iana org assignments http-status-codes http-status-codes xhtml       The 422  Unprocessable Entity  status code means the server     understands the content type of the request entity  hence a     415  Unsupported Media Type  status code is inappropriate   and the     syntax of the request entity is correct  thus a 400  Bad Request      status code is inappropriate  but was unable to process the contained     instructions   For example  this error condition may occur if an XML     request body contains well-formed  i e   syntactically correct   but     semantically erroneous  XML instructions

User · Answer

I would say technically it might not be an HTTP failure  since the resource was  presumably  validly specified  the user was authenticated  and there was no operational failure  however even the spec does include some reserved codes like 402 Payment Required which aren t strictly speaking HTTP-related either  though it might be advisable to have that at the protocol level so that any device can recognize the condition    If that s actually the case  I would add a status field to the response with application errors  like   lt status gt  lt code gt 4 lt  code gt  lt message gt Date range is invalid lt  message gt  lt  status gt

User · Answer

A duplicate in the database should be a 409 CONFLICT   I recommend using 422 UNPROCESSABLE ENTITY for validation errors   I give a longer explanation of 4xx codes here  http   parker0phil com 2014 10 16 REST http 4xx status codes syntax and sematics

[validation] What's an appropriate HTTP status code to return by a REST API service for a validation failure?

Examples related to validation

Examples related to rest

Examples related to http-status-codes

Examples related to http-status-code-415