I prefer simplicity and using the first example but I’d be happy to hear other options. Here’s a few examples:

HTTP/1.1 403 POST /endpoint
{ "message": "Unauthorized access" }
HTTP/1.1 403 POST /endpoint
Unauthorized access (no json)
HTTP/1.1 403 POST /endpoint
{ "error": "Unauthorized access" }
HTTP/1.1 403 POST /endpoint
{
  "code": "UNAUTHORIZED",
  "message": "Unauthorized access",
}
HTTP/1.1 200 (🤡) POST /endpoint
{
  "error": true,
  "message": "Unauthorized access",
}
HTTP/1.1 403 POST /endpoint
{
  "status": 403,
  "code": "UNAUTHORIZED",
  "message": "Unauthorized access",
}

Or your own example.

  • @[email protected]
    link
    fedilink
    123 months ago

    since none of your examples add anything of value in the body: a plain old 403 is enough.

    response bodies for 400 responses are more interesting, since you can often tell why a request was bad and the client can use that information to communicate to the user what went wrong.

    best error code remains 418, though.

    • @[email protected]
      link
      fedilink
      33 months ago

      I was annoyed that the one time I wanted to use 418 as a filler Dotnets http library didn’t support returning it.

      • @perviouslyiner
        link
        13 months ago

        Well it’s not an HTTP status code; it’s an HTCPCP status code.