While troubleshooting an error, my coworker said, "Oh, that's 4xx, so that's a client error". I never approached troubleshooting like this. I just knew that 200s were good, and 500s were bad 😅. Knowing that 400 relates to the client eliminates much troubleshooting and saves time. In this post, I'll go over the 4 most common 4xx errors I've encountered.

What is the 4xx Error Code?

When you see a 4xx error, this indicates a client-side error. The request contains bad syntax or cannot be fulfilled. Remember, the client asks and the server answers.

400 (Bad Request )

This status code indicates that the server cannot or will not process the request due to a client error. The server is saying, "I have no idea what you just sent me". For example, lets you send the following request with broken json:

curl -i \
  -X POST https://api.example.com/api/users \
  -H "Content-Type: application/json" \
  -d '{"name": "Xavier", "email": }'

This will return a 400 Bad Request error.

401 (Unauthorized)

This status code indicates you're unauthorized. It's the doorman at the speakeasy expecting the correct password. Common causes for this could be missing or expired tokens, a bad api key, or a missing Authorization header. "But I did include Authorization in the request." Then the authorization has been refused.

403 (Forbidden)

This status code indicates that you are authenticated but not allowed to perform whatever you were attempting to do. Think of it as getting past the doorman, only to be stopped by security inside. The server knows who you are, but it just refuses to let you access the resource. Common causes include insufficient permissions or role-based access controls (RBAC). For example, you might be a part of the Marketing team, but not allowed to review certain documents.

404 ( Not Found)

This status code means the server is reachable, but the resource you’re asking for doesn’t exist. The door is there, the building is open, but the room you’re looking for isn’t. Common causes include incorrect URLs, removed or renamed endpoints, bad routing rules, or requests hitting the wrong service entirely.

The key detail that really helped this code stick for me: The app is up and responding, your request just didn't map to anything valid.

405 (Method Not Allowed)

This status code means the endpoint exists, but the HTTP method you used is not supported. Think of it like knocking on the right door with the wrong approach. For example, sending a POST to an endpoint that only allows GET, or trying to DELETE a resource that’s read-only. In many cases, the response will include an Allow header listing the permitted methods. This one shows up often with REST APIs and strict routing rules—and it’s a strong hint that your logic is wrong, not the URL.