Returning http 200 OK with error within response body

Learn returning http 200 ok with error within response body with practical examples, diagrams, and best practices. Covers http, http-status-code-400, http-status-code-200 development techniques wit...

Returning HTTP 200 OK with Error Details in the Response Body

Hero image for Returning http 200 OK with error within response body

Explore the nuances of API error handling, specifically when to return an HTTP 200 OK status code alongside error information within the response body, and when to opt for more specific HTTP error codes.

In the world of API design, proper error handling is crucial for creating robust and user-friendly services. A common point of confusion arises when determining the appropriate HTTP status code to return when an operation encounters an issue, but the request itself was syntactically valid and processed by the server. Should you always return a specific HTTP error code like 400 Bad Request or 500 Internal Server Error, or are there scenarios where returning 200 OK with error details in the response body is acceptable or even preferable?

Understanding HTTP Status Codes

HTTP status codes are designed to indicate the outcome of an HTTP request. They are broadly categorized into five classes:

1xx Informational: Request received, continuing process.
2xx Success: The action was successfully received, understood, and accepted.
3xx Redirection: Further action needs to be taken to complete the request.
4xx Client Error: The request contains bad syntax or cannot be fulfilled.
5xx Server Error: The server failed to fulfill an apparently valid request.

The core principle is that the status code should reflect the outcome of the HTTP transaction itself, not necessarily the business logic outcome of the operation requested. A 200 OK status code fundamentally means "the request was successful, and the server is returning the requested data." If the server successfully processed the request and generated a response, even if that response indicates a business-level error, a 200 OK might be considered.

flowchart TD
    A[Client Sends Request] --> B{Server Receives Request?}
    B -- No --> C[HTTP 4xx/5xx (Network/Server Error)]
    B -- Yes --> D{Request Syntactically Valid?}
    D -- No --> E[HTTP 400 Bad Request]
    D -- Yes --> F{Business Logic Executed?}
    F -- No --> G[HTTP 5xx (Internal Server Error)]
    F -- Yes --> H{Business Logic Resulted in Error?}
    H -- No --> I[HTTP 200 OK + Success Data]
    H -- Yes --> J[Option 1: HTTP 4xx/5xx + Error Details]
    H -- Yes --> K[Option 2: HTTP 200 OK + Error Details in Body]

Decision flow for HTTP status codes based on request processing.

When to Use 200 OK with Error in Body

While generally discouraged for typical API errors, there are specific scenarios where returning 200 OK with an error payload can be appropriate:

GraphQL APIs: GraphQL, by design, often returns 200 OK for all responses, even if individual queries or mutations within the request fail. Errors are communicated within a dedicated errors array in the JSON response body, alongside any partial data.
Batch Operations: If you send a batch request to an API, and some individual operations succeed while others fail, returning 200 OK for the overall batch request, with a detailed breakdown of success/failure for each sub-operation in the response body, can be a pragmatic approach.
Legacy Systems/Client Constraints: In some cases, older clients or specific integration requirements might struggle to correctly interpret non-200 status codes. While not ideal, returning 200 OK with an error body might be a necessary workaround.
"Soft" Errors or Warnings: If the operation technically succeeded but with minor issues or warnings that the client should be aware of, a 200 OK with a warnings or messages field in the body can be used.

In these cases, the 200 OK signifies that the request itself was successfully processed by the server, and the server is providing a complete response, which happens to contain error information.

{
  "status": "error",
  "code": "INVALID_INPUT",
  "message": "The provided email address is already registered.",
  "details": {
    "field": "email",
    "value": "test@example.com"
  }
}

Example of an error payload within a 200 OK response.

When to Prefer Specific HTTP Error Codes

For most API interactions, adhering to standard HTTP status codes is the best practice. This provides clear, machine-readable signals about the nature of the error without requiring the client to parse the response body to determine if an error occurred. Here are common scenarios:

400 Bad Request: For client-side input validation failures, missing required parameters, or malformed request bodies.
401 Unauthorized: When authentication credentials are missing or invalid.
403 Forbidden: When the client is authenticated but does not have permission to perform the requested action.
404 Not Found: When the requested resource does not exist.
409 Conflict: When the request conflicts with the current state of the server (e.g., trying to create a resource that already exists).
422 Unprocessable Entity: (Often used with REST APIs) When the request is syntactically correct but semantically incorrect (e.g., validation errors that prevent the entity from being processed).
500 Internal Server Error: For unexpected server-side issues that prevent the request from being fulfilled.

Using these codes allows intermediaries (proxies, caches) and client libraries to handle errors generically, improving API robustness and maintainability.

HTTP/1.1 400 Bad Request
Content-Type: application/json

{
  "error": {
    "code": "VALIDATION_ERROR",
    "message": "Validation failed for one or more fields.",
    "details": [
      {
        "field": "username",
        "message": "Username must be at least 5 characters long."
      },
      {
        "field": "password",
        "message": "Password must contain at least one digit."
      }
    ]
  }
}

Example of a 400 Bad Request response with detailed error information.

💡

When returning error details in the response body (whether with 200 OK or a specific error code), always include a consistent structure. This typically involves fields like code (a machine-readable error identifier), message (a human-readable description), and details (additional context like field-specific errors).

Best Practices for API Error Handling

Regardless of whether you choose 200 OK with an error body or a specific HTTP error code, consistency is key. Here are some best practices:

Be Consistent: Define a clear error handling strategy and stick to it across your entire API.
Provide Detail: Always include a machine-readable error code, a human-readable message, and any relevant details (e.g., field names, invalid values) in your error responses.
Use Standard Codes When Possible: Leverage the rich set of HTTP status codes to convey the nature of the error. This makes your API easier to understand and integrate with.
Document Thoroughly: Clearly document your error response formats and the meaning of different error codes in your API documentation.
Avoid Leaking Internal Details: Error messages should be informative to the client but should not expose sensitive server-side implementation details or stack traces.