What status code to use when a parameter is missing in the query string?

Question

I have an endpoint that requires a parameter passed via the query string (is a GET verb).

What is the appropriated status code to give when this parameter is missing from the request? 400 is the one? or should I respond with a 404?

[GET /search?q=ok] => 200 OK
[GET /search] => 400 Bad Request? or 404 Not Found? Or 422 Unprocessable Entity? Others?

Answer 1

TLDR It's an HTTP 400 - Bad Request.

It's a 400 because the user did not send the Required input field.

why not 422 - because this case fits to 400. Keeping your consumers in mind, you shouldn't go to non-popular response codes if you don't really need to.

Cases for HTTP 404:

1. Url which the client requested is not existing in your server (usually this will be handled by your server. Application developer usually doesn't have to do anything unless you want a nice looking 404 page or for SEO reasons).

2. If it was a path parameter and client was looking for an entity with an id (for Example (/students/{id} and your application couldn't find such entity, you may respond with an HTTP 404.

Let's say, user sent the query parameter and you did not find any items matching the query param, make no mistake, it's still an HTTP 200 with body as an empty array or so (not a 404 unlike mentioned in the previous case). Example: /customers?lastname=unobtanium

Answer 2

What is the appropriated status code to give when this parameter is missing from the request? 400 is the one? or should I respond with a 404?

I would argue that 404 is appropriate

The 404 (Not Found) status code indicates that the origin server did not find a current representation for the target resource or is not willing to disclose that one exists.

The fact that your routing implementation happens to send /search and /search?q=ok to the same handler does not mean that they are the same resource. /search identifies a resource, there's no current representation available for it, so you send a response back to the consumer explaining the problem, and put 404 in the meta data.

The big hint in the spec is this one:

A 404 response is cacheable by default

That lets us inform the client (and any intermediary components) know that this response can be reused.

It's a useful property, and it doesn't apply (out of the box) to 400 Bad Request

Heuristic: your web api should act like a document store. If you ask a document store to give you a document, but you spell the key wrong, what do you get? Some flavor of KeyNotFound exception. Same thing you would get if you asked a web server for a document in your home directory, but your spelled the file name incorrectly.

The semantics of the response indicate the right status code to use, not the implementation details.

Answer 3

It should be 400 - Bad Request.

The request could not be understood by the server due to malformed syntax. The client SHOULD NOT repeat the request without modifications.

404 - Not Found

The HTTP 404 Not Found Error means that the webpage you were trying to reach could not be found on the server. It is a Client-side Error which means that either the page has been removed or moved and the URL was not changed accordingly, or that you typed in the URL incorrectly.

Its means server is not able to find the URI you specified. but in your case URI is valid but parameters are missing so 400 is right way to do it.