I prefer simplicity and using the first example but I’d be happy to hear other options. Here’s a few examples:
HTTP/1.1 403 POST /endpoint
{ "message": "Unauthorized access" }
HTTP/1.1 403 POST /endpoint
Unauthorized access (no json)
HTTP/1.1 403 POST /endpoint
{ "error": "Unauthorized access" }
HTTP/1.1 403 POST /endpoint
{
"code": "UNAUTHORIZED",
"message": "Unauthorized access",
}
HTTP/1.1 200 (🤡) POST /endpoint
{
"error": true,
"message": "Unauthorized access",
}
HTTP/1.1 403 POST /endpoint
{
"status": 403,
"code": "UNAUTHORIZED",
"message": "Unauthorized access",
}
Or your own example.
At a previous job we had an unholy combination of the last two:
HTTP/1.1 200 POST /endpoint { "data": null, "errors": ["403", "unauthorized"], "success": false }
That really is unholy and I also couldn’t work there long if they thought that was OK (pun intended).
It’s a perfectly fine way of doing things as long as it’s consistent and the spec is clear.
HTTP is a transport layer. You don’t have to use its codes for your application layer. It’s often done that way but it’s not the only way.
In the example above the transport layer is saying “OK I’ve delivered your output” which is technically correct. It’s not concerned with logical errors inside what it was transporting, just with the delivery itself.