What would be the appropriate status code to use for a server telling a user who is signing up using the site's REST API that their password did not meet the specified requirements (such as length)?
I'm thinking either 400 or 422 based on the answers to this question.
My application currently has no frontend and is entirely an API.
What would be the appropriate status code to use for a server telling a user who is signing up using the site's REST API that their password did not meet the specified requirements (such as length)?
The status code is not the right tool to use for this
the server SHOULD send a representation containing an explanation of the error situation, and whether it is a temporary or permanent condition.
The message body is how we communicate with the user; consider the web, information about an inadequate password would be in the HTML message sent back to the browser to be rendered for the user.
The status code is metadata, it belongs to the transferring-documents-over-a-network domain, to give to general purpose components a standardized understanding of what is going on, so that they can act appropriately (for example, status codes play an important role in cache invalidation).
The most straightforward choice to make in your case would be 403 Forbidden
The 403 (Forbidden) status code indicates that the server understood the request but refuses to authorize it.
422 Unprocessable Entity is fine, especially in that it directs attention to the message-body of the request.
In practice, it probably doesn't matter very much -- besides the minor detail of calling attention to the problematic part of the HTTP request, 400, 403, and 422 are effectively interchangeable. They are all members of the Client Error (4xx) class, they are all not cacheable by default, and so on.
