Don’t use 400, but use 422 #TIL

…for form field validation failures.

I have a backend API that accepts user signups. If everything goes as planned the server returns 200. But what if one of the fields does not pass validation? Ideally, you will have some kind of client side validation. But you should never assume the client is going to send you clean data.

You can use the generic 400 status code for such requests. But, according to w3.org, 400 Bad Request means

The request could not be understood by the server due to malformed syntax. The client SHOULD NOT repeat the request without modifications.

Status code 422 seems like a more appropriate response code. According to the WebDAV documentation, 422 Unprocessable Entity means:

The 422 (Unprocessable Entity) status code means the server understands the content type of the request entity (hence a 415 (Unsupported Media Type) status code is inappropriate), and the syntax of the request entity is correct (thus a 400 (Bad Request) status code is inappropriate) but was unable to process the contained instructions. For example, this error condition may occur if an XML request body contains well-formed (i.e., syntactically correct), but semantically erroneous, XML instructions.

You should use 401 Unauthorized if the password itself is wrong.