When to use HTTP status code 425 "Too Early"

Question

The 425 "Too Early" status code's description:

Indicates that the server is unwilling to risk processing a request that might be replayed

How is it used in a real world scenario? Examples would be appreciated.

Answer 1

Disclaimer

It was asked for a real world scenario.

Consequently, this is an anekdote when we use the 425 Too Early. It slightly differs from the ietf-425-definition.

---

We have two systems

A) A fast one, legacy, better request seldomly

B) A smothly scaling API connected to a standard database (MySQL)

Whilst the legacy system gets updates within seconds, the API relies on the database, which gets updates from 3 to 5 hours later.

---

Requesting the API will lead to three different answers:

1. Requested source is already in the database => 200 OK

ELSE: Requesting the general existance of the data

2. Requested source neither in the database nor in the legacy system => 404 Not Found
3. Requested resource can be found in the legacy system => 425 Too Early

No°1, obviously, delivers the full dump of requested data, whilst No°3 only indicates that there will be available data in the near future without specifying the data's ETA.

Answer 2

Use HTTP status codes for their intended use, don't invent your own uses. Both scenarios explained here by other answers would benefit from using more fitting status codes (like 429 which includes a handy header retry-after).

The 425 status code is for a very specific scenario, namely:

• TLS 1.3
• With pre-shared keys
• Having recently had a session
• The client having sent an Early-Data: 1 header
• The TLS layer understanding and accepting the early data, but
• The HTTP server layer not accepting the early request

That's it. That's what it's for. Don't use it for anything else.

https://www.rfc-editor.org/rfc/rfc8446#section-4.2.10, https://datatracker.ietf.org/doc/html/rfc8470#section-1

Answer 3

I use 425 when response is calculated on demand (i.e. the first request), but it may take potentially long to calculate it.

E.g. some reports or metadata can be handled like this.

So after a request to particular resource comes for first time - it gets 425 and a special job is queued for background workers to proceed. Once calculation is finished - further requests to the same resource return 200.

Answer 4

You can use a 425 as an error code to handle idempotent requests.

Real world example: I want a request to my API to send money to someone through some crusty unreliable old banks api. Like 60% of the time the underlying api is fast enough, but 40% of the time clients will time out while waiting. If they retry after a timeout the request could potentially double bill them.

So in my API, I ask the sender to send a transactionId, then when they retry the request, they would resend the same transactionId. On my apis side I'm going to store that transactionId and then start the (potentially long running) money transfer. When the transfer finishes you save the result to the transactionId and then return 200(transferResult) to the sender.

If the client gets impatient and retries then the next web request will see that that transactionId is still in flight and return a 425 Too Early. They can then wait a few seconds and try again getting more 425 Too Early responses until the transfer finishes and you return the 200(transferResult) to the sender.

I know this answer is 6 months late, but maybe that helps understand what a 425 can be used for.