What is the most appropriate status code?

Question

We need to implement account deletion. One of the endpoints should send a letter to user's email address to confirm deletion. I am thinking of something like

POST /users/me/requests/deletion

However, there is a posibillity that user does not have a confirmed email address. In this case he cannot delete his account. Which is the best status code to return in this situation? We cannot decide between 409 Conflict, 403 Forbidden and 422 Unprocessable Entity.

Answer 1

Personally I'd go for 409 Conflict with a proper message describing the problem. This is the most general error status code and be definitely used here.

403 Forbidden most often indicates a problem with authentication but this is not always the case. It can be used to forbid access even if there's no issue with credentials. So it can be used here however it my personal opinion it doesn't suit well. Documentation says that that 403 Forbidden indicates that the server just refuses to fulfill the request and nothing can help - so it may be a good choice here as well.

422 Unprocessable entity indicates problems with the entity being sent or processed. Here the entity isn't clearly visible. This error mostly indicates problems with the request itself (misused 400 Bad Request) or with entity validation that can't be processed at the earlier stages of processing (e.g. DB constraint violation).