I prefer simplicity and using the first example but I’d be happy to hear other options. Here’s a few examples:

HTTP/1.1 403 POST /endpoint
{ "message": "Unauthorized access" }
HTTP/1.1 403 POST /endpoint
Unauthorized access (no json)
HTTP/1.1 403 POST /endpoint
{ "error": "Unauthorized access" }
HTTP/1.1 403 POST /endpoint
{
  "code": "UNAUTHORIZED",
  "message": "Unauthorized access",
}
HTTP/1.1 200 (🤡) POST /endpoint
{
  "error": true,
  "message": "Unauthorized access",
}
HTTP/1.1 403 POST /endpoint
{
  "status": 403,
  "code": "UNAUTHORIZED",
  "message": "Unauthorized access",
}

Or your own example.

  • SorteKanin@feddit.dk
    link
    fedilink
    arrow-up
    2
    arrow-down
    1
    ·
    2 months ago

    A plain 400 without explanation is definitely not great UX. But for something like 403, not specifying the error may be intentional for security reasons.

    • b_n@sh.itjust.works
      link
      fedilink
      arrow-up
      1
      ·
      2 months ago

      I know of some people that never use 403, but instead opt for 404 for security reasons. 403 implies that there is something they could have access to, but don’t.

      I think in some situations that this can be valid, but it shouldn’t be a crux.

      • SorteKanin@feddit.dk
        link
        fedilink
        arrow-up
        2
        ·
        2 months ago

        404 is definitely also used sometimes for hiding stuff that shouldn’t be seen, but 403 may still be appropriate for various stuff where there is nothing to hide. With 404 you probably also never want to give any explanation or error message.