I have an endpoint in my REST API that sends a code the user received per email to verify the email address.

What status code should I better use to return that this code has expired?

Is it 401, 410 or 498?

CodePudding user response：

I would recommend using status code 498 if you wanna show the user that their authorization code is invalid

or use 410 to show that the link is invalid

Edit: Note that 498 is an unofficial status code

CodePudding user response：

HTTP status codes are metadata of the transfer of documents over a network domain. They are a token that instructs general purpose HTTP clients how to interpret the response (especially the other meta data fields).

When considering an unassigned status code (like 498), you want to keep in mind that general purpose components that don't recognize the code are going to treat the response as though it had the x00 response code of the same class (so 498 --> 400, 298 --> 200, and so on).

That said, if your expected context includes clients that do understand the semantics of 498, then this is less of a concern.

I have an endpoint in my REST API that sends a code the user received per email to verify the email address.

What status code should I better use to return that this code has expired?

You can make a good case for either 200 or 410, I think.

In either case, the important thing to the client is going to be the representation in the payload, which is going to be some kind of "so sorry" message and maybe hypermedia controls to restart the process.

The 410 response is primarily intended to assist the task of web maintenance by notifying the recipient that the resource is intentionally unavailable and that the server owners desire that remote links to that resource be removed.

So that could be a reasonable choice, given that you don't particularly want this URI to be reused