What HTTP status to use for good request with "bad" input?

Question

I'm writing a microservice for validating promo codes. The client sends me a promo code and a product ID (json). There is the 200 OK case where the code is good, I apply a discount for their order. But there is an error-ish case where the promo code doesn't apply for this product. I'm unsure what response code to use.

Should this also be 200 OK (with some sort of message saying the validation of the code fails)?

Should it be 400 Bad Request?

Neither seems entirely appropriate, it's odd to say 200 OK when it wasn't "OK", however 4xx is usually for signifying a problem with the structure of the request / http protocol - and in this case the structure of the request is fine.

[422 unprocessable entity](http://tools.ietf.org/html/rfc4918#section-11.2)? — steveax, May 11 '15 at 02:02
200 is perfectly OK here. 4xx codes have semantics that do not really apply to this case. — ZhongYu, May 12 '15 at 15:13
@ZhongYu Disagree. The objective of the action was not accomplished and it is obviously due to something on the client's side. I will give the caveat that if this were a batch call I would be okay with 2xx code with a response payload that separated out successes from failures. — gaoagong, Dec 12 '19 at 16:20

score 5 · Accepted Answer · 2015-05-11T05:25:38.017

5

I'll second steveax. 422 seems like a good choice.

IMHO, you should never use 200 if the request failed.

Use an error code & if necessary, provide details in the response body:

HTTP/1.1 422 Unprocessable Entity
Content-Type: application/json

{ "reason": 1, "text": "Invalid promo code." }

On second thought, I think 403 is a good fit here:

HTTP/1.1 403 Forbidden
Content-Type: application/json

{ "reason": "bad_promo_code" }

Ultimately, it doesn't matter as long as it's documented.

edited May 11 '15 at 05:25

answered May 11 '15 at 02:36

I believe a 4xx level error is the way to go here. From the following link: https://restfulapi.net/http-status-codes/ `It indicates that the REST API successfully carried out whatever action the client requested and that no more specific code in the 2xx series is appropriate.` If the action was to add a promo, but it doesn't validate against the product, then you cannot successfully carry out the action the client requested and it is due to something on the client side. They need to change something and try again. If you return a 200, then it gives the impression that the promo was used. – gaoagong Dec 12 '19 at 16:17

score 0 · Answer 2 · answered May 11 '15 at 02:13

I will suggest 409:

10.4.10 409 Conflict

The request could not be completed due to a conflict with the current state of the resource. This code is only allowed in situations where it is expected that the user might be able to resolve the conflict and resubmit the request.

What HTTP status to use for good request with "bad" input?

2 Answers2