5xx Series Status Code Usage (i.e. 500 vs 504) #9
-
In the API Standards today, status code guidelines indicate that REST APIs should only ever surface the status codes provided in the list given. This is helpful for us to align on specific status codes and avoid deviation for funky usages like 207 (multi-status) that probably should be left untouched by our implementations, or help with consistency on various 4xx series codes to use. In the 5xx series ONLY the 500 status code is indicated as something that a REST API should return. However, thats not to say you won't encounter other 5xx status codes codes as a consumer of course. Various other 5xx codes can be returned at any layer or interception point or gateway/proxy inbetween. Similarily it may be reasonable to think that non-RESTful aspects of your API implementation or middleware may have to return more specific 5xx series status codes for non-RESTful purposes beyond the scoping of the REST API Standards. Taking a look at the 5xx series of status codes though, there are limited codes of interest for the REST application level: 501 - Not Implemented - Not useful as we don't expect to ever indicate paths/methods that exist but are not yet finished. https://docs.platform.spscommerce.com/api-design/standards/request-response/#supported-status-codes My initial interpretation is that status codes 501-504 all apply to situations where you would not indicate these codes on your Open API specification for example, as its not a product-related response (i.e. you would indicate a response such as a 409 conflict on certain endpoints that as a product would mean something specific about the conflict in the request). The focus in the REST API Standards is less on implementation and more on contract (what does the consumer care about). GETTING TO THE POINT: Should the REST API Standards call out the additional usage of the 504 status code (https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/504)? Should it call out the usage of other 5xx status codes? |
Beta Was this translation helpful? Give feedback.
Replies: 4 comments 14 replies
-
As a point of reference and alternative perspective, CloudFoundry provide a distinct look at how they use 5xx server errors in their REST API guidelines to indicate different types of dependency failures (external or internal), and it explicitly doesn't use the 504 status code at all. Its interpretations of the 502 and 503 status codes are quite different than my interpretations and usage in the past. A good example why it is necessary to align on these across the organization, as I imagine our internal perspectives can be very different as well. 502 Bad Gateway - This status MUST be returned when an external service failure causes a request to fail. https://github.com/cloudfoundry/cc-api-v3-style-guide#server-errors Thoughts on the way 502 and 503 are used here? |
Beta Was this translation helpful? Give feedback.
-
@jerelthompson I know this is a pattern your teams have used in the past with great success. Can you provide additional insight and perspective on what you think is the right approach here? |
Beta Was this translation helpful? Give feedback.
-
Personally, I've been trained to not rely on different 5XX status codes for much and use the response content instead. So just always using 500 with a good response seems like the easiest choice. |
Beta Was this translation helpful? Give feedback.
-
I have a few thoughts. 502s, 504sIt seems like 502 and 504 go hand in hand. So if we are committed to using one or the other I think we should consider using both. ContextThe context in which we are using these error codes might be important. I would make a distinction between a data API that has dependencies and an API that we are actually using as a gateway or a proxy. An example of the latter might be something like the backend for frontend pattern. We might use this in scenarios where we have a client side application that we want to delegate the identity management to a backend service. I those cases, we can either proxy the API request to an actual data API or act as a gateway getting data from several data APIs and aggregating that into a view model. However, if we are making a call directly to a data API and that data API depends on another data API to complete its action, that may not constitute a 502 or 504 in my opinion. A scenario might be the DEX API depends on NCS service to create a new Document entity. If the NCS service is unavailable DEX can't create a Document. The DEX API isn't returning NCS data nor acting as a gateway or proxy for NCS data in any way. Despite the DEX API having dependencies, it is the intended target/authority of the request for a Document entity. In this case, I think it would make sense to return a 500. Implementation DetailsThis I think also answers the question related to "exposing implementation details" in that its find to return a 504 from a BFF because we know that it isn't the intended target. 503sFor a 503, I feel like if you API is in a position to respond with a 503, that is, if it's a choice you are making in code at runtime, then it likely isn't fitting the definition of a 503. Returning a 503 might increase confusion rather than help to relieve it. |
Beta Was this translation helpful? Give feedback.
Personally, I've been trained to not rely on different 5XX status codes for much and use the response content instead. So just always using 500 with a good response seems like the easiest choice.