What is the best HTTP status code for pin code's "Max Attempt Reached"?

Question

I'm implementing a pin code authorization in my web application and one of the requirements is to limit the attempt count of a user to n times in a day.

So, what is the best HTTP status code returned to the user when they reached the max attempt count?

Now, I'm thinking of

• 403
• 429 (but it's not about sending too many requests)
• 400 (but the request payload didn't invalid)

Answer 1

429 is exactly what you want.

from: https://datatracker.ietf.org/doc/html/rfc6585

429 Too Many Requests

   The 429 status code indicates that the user has sent too many
   requests in a given amount of time ("rate limiting").

   The response representations SHOULD include details explaining the
   condition, and MAY include a Retry-After header indicating how long
   to wait before making a new request.

   For example:

   HTTP/1.1 429 Too Many Requests
   Content-Type: text/html
   Retry-After: 3600

   <html>
      <head>
         <title>Too Many Requests</title>
      </head>
      <body>
         <h1>Too Many Requests</h1>
         <p>I only allow 50 requests per hour to this Web site per
            logged in user.  Try again soon.</p>
      </body>
   </html>

   Note that this specification does not define how the origin server
   identifies the user, nor how it counts requests.  For example, an
   origin server that is limiting request rates can do so based upon
   counts of requests on a per-resource basis, across the entire server,
   or even among a set of servers.  Likewise, it might identify the user
   by its authentication credentials, or a stateful cookie.

   Responses with the 429 status code MUST NOT be stored by a cache.

---

Note how the spec invites the service / implementation to provide details. It does not say what type of requests is too much or anything specific, really. Therefore, you will want to say something like "stop spamming my service because x, y, z".