HTTP status code when rejecting unsupported API clients

Question

We have a mobile app which sends its version in an HTTP header when sending API requests.

On the backend we are trying to refuse requests from old unsupported mobile apps.

What HTTP status code is appropriate for this case?

P.S. Please let's not start a discussion about API versioning.

Answer 1

403 Forbidden

The 403 (Forbidden) status code indicates that the server understood the request but refuses to authorize it. A server that wishes to make public why the request has been forbidden can describe that reason in the response payload (if any).

Answer 2

Status codes are meant to describe the result of the server's attempt to understand and satisfy the client's corresponding request.

However, it's unlikely you'll find specific status codes for each situation. So, assuming it's a client error, you could go with 400:

6.5.1. 400 Bad Request

The 400 (Bad Request) status code indicates that the server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid request message framing, or deceptive request routing).

And, as HTTP status codes are not always sufficient to convey enough information about an error to be helpful, ensure you return details about the error on the payload.

You could have a look at the RFC 7807, as it defines simple JSON and XML document formats to inform the client about a problem in a HTTP API. It's a great start point for reporting errors in your API. It also defines the application/problem+json and application/problem+xml media types.

Answer 3

426 (Upgrade Required) seems like a valid candidate. So are: 412(Precondition Failed), 417(Expectation Failed). Purely depends on how you interpret it in your application