Status Code
400 Bad Request
Learn what 400 Bad Request means when servers reject malformed requests. Understand common causes like invalid JSON, missing parameters, and how to debug.
What is 400 Bad Request?
TL;DR: 400 Bad Request means your request is malformed. Check for invalid JSON, missing fields, or wrong data types.
A 400 Bad Request status code means the server cannot understand or process your request because it’s malformed, invalid, or missing required information. Think of it like trying to order food in a language the waiter doesn’t understand, or giving incomplete address information to a delivery driver—the server wants to help but can’t figure out what you’re asking for.
This is a client-side error, meaning the problem is with how the request was constructed, not with the server itself.
When Does This Happen?
You’ll see a 400 Bad Request response in these common situations:
1. Invalid JSON Syntax
{
"name": "John",
"age": 25, ← Missing closing brace
```text
**2. Missing Required Fields**
```json
{
"email": "user@example.com"
← Missing required "password" field
}3. Wrong Data Types
{
"age": "twenty-five", ← Should be number, not string
"active": "yes" ← Should be boolean, not string
}
```text
**4. Invalid URL Parameters**
```text
/users?limit=abc ← "abc" is not a valid number
/posts?date=invalid-date-format
```http
**5. Malformed Headers**
```http
Content-Type: application/json;charset= ← Incomplete charset
Authorization: Bearer ← Missing tokenExample Responses
Invalid JSON Syntax:
HTTP/1.1 400 Bad Request
Content-Type: application/json
{
"error": "Bad Request",
"message": "Invalid JSON syntax",
"details": "Unexpected token '}' at position 45",
"code": "INVALID_JSON"
}
```text
**Missing Required Fields:**
```http
HTTP/1.1 400 Bad Request
Content-Type: application/json
{
"error": "Validation Failed",
"message": "Required fields are missing",
"missing_fields": ["email", "password"],
"code": "MISSING_REQUIRED_FIELDS"
}Invalid Data Types:
HTTP/1.1 400 Bad Request
Content-Type: application/json
{
"error": "Invalid Input",
"message": "Data type validation failed",
"validation_errors": [
{
"field": "age",
"expected": "number",
"received": "string",
"value": "twenty-five"
}
]
}
```text
## Real-World Example
Imagine you're building a user registration API and someone sends invalid data:
**Invalid Request:**
```http
POST /users HTTP/1.1
Host: api.example.com
Content-Type: application/json
{
"username": "",
"email": "not-an-email",
"age": -5,
"preferences": {
"notifications": "maybe"
}
}400 Bad Request Response:
HTTP/1.1 400 Bad Request
Content-Type: application/json
{
"error": "Validation Failed",
"message": "The request contains invalid data",
"validation_errors": [
{
"field": "username",
"message": "Username cannot be empty",
"code": "REQUIRED"
},
{
"field": "email",
"message": "Invalid email format",
"code": "INVALID_FORMAT"
},
{
"field": "age",
"message": "Age must be between 0 and 120",
"code": "OUT_OF_RANGE"
},
{
"field": "preferences.notifications",
"message": "Must be true or false",
"code": "INVALID_TYPE"
}
],
"documentation": "https://api.example.com/docs/users#create"
}
```text
## 400 vs Other Client Error Codes
| Code | Meaning | When to Use |
| ------- | ----------------------- | ---------------------------------------------- |
| **400** | Bad request format | Malformed syntax, invalid data, missing fields |
| **401** | Authentication required | Missing or invalid credentials |
| **403** | Access forbidden | Valid request but insufficient permissions |
| **404** | Resource not found | Valid request but resource doesn't exist |
| **422** | Unprocessable entity | Valid syntax but semantic errors |
## Common Causes and Solutions
**Invalid JSON:**
```javascript
// ❌ Broken JSON
{
"name": "John",
"age": 25, // Comments not allowed in JSON
}
// ✅ Valid JSON
{
"name": "John",
"age": 25
}Wrong Content-Type:
❌ POST /api/users
Content-Type: text/plain
{"name": "John"}
✅ POST /api/users
Content-Type: application/json
{"name": "John"}
```text
**Invalid Query Parameters:**
```text
❌ /users?limit=abc&offset=-1
✅ /users?limit=10&offset=0
```text
## Best Error Response Practices
**Provide Specific Error Details:**
```json
{
"error": "Bad Request",
"message": "Validation failed for user creation",
"details": {
"field_errors": [
{
"field": "email",
"message": "Email format is invalid",
"example": "user@example.com"
}
]
},
"request_id": "req_123456789",
"timestamp": "2026-01-18T12:00:00Z"
}Include Helpful Context:
{
"error": "Invalid JSON",
"message": "Request body contains malformed JSON",
"line": 3,
"column": 15,
"suggestion": "Check for missing commas or quotes",
"documentation": "/docs/api-format"
}
```text
## Common Mistakes
**❌ Using 400 for server errors**
```http
HTTP/1.1 400 Bad Request ← Wrong code
{"error": "Database connection failed"} ← This is a 500 error❌ Vague error messages
HTTP/1.1 400 Bad Request
{"error": "Bad request"} ← Not helpful for debugging
```text
**❌ Using 400 for missing resources**
```http
GET /users/999999
HTTP/1.1 400 Bad Request ← Should be 404 Not Found
{"error": "User not found"}✅ Correct usage
POST /users
HTTP/1.1 400 Bad Request
{
"error": "Invalid email format",
"field": "email",
"value": "invalid-email",
"expected_format": "user@domain.com"
}
```javascript
## Prevention Strategies
**Client-Side Validation:**
```javascript
// Validate before sending
function validateUser(user) {
const errors = []
if (!user.email || !user.email.includes('@')) {
errors.push('Valid email required')
}
if (!user.age || user.age < 0 || user.age > 120) {
errors.push('Age must be between 0 and 120')
}
return errors
}Server-Side Schema Validation:
const userSchema = {
type: 'object',
required: ['email', 'password'],
properties: {
email: { type: 'string', format: 'email' },
age: { type: 'number', minimum: 0, maximum: 120 }
}
}Debugging 400 Errors
Check Request Format:
- Validate JSON syntax with a JSON validator
- Verify Content-Type header matches body format
- Ensure all required fields are present
- Check data types match API expectations
Common Tools:
- Browser Developer Tools (Network tab)
- Postman for API testing
- curl with verbose output (
curl -v) - JSON validators online
Try It Yourself
Visit our request builder and trigger a 400 error:
- Set method to POST
- Set path to /users
- Add invalid JSON:
{"name": "John", "age":} - Click Send request
- Watch the 400 response with validation details
Related Status Codes
- 401 Unauthorized - Authentication required
- 403 Forbidden - Access denied
- 404 Not Found - Resource doesn’t exist
- 422 Unprocessable Entity - Valid syntax, semantic errors
Frequently Asked Questions
What does 400 Bad Request mean?
A 400 error means the server cannot process your request because it is malformed or invalid. Common causes include invalid JSON syntax, missing required fields, or incorrect data types.
How do I fix a 400 Bad Request error?
Check your request for syntax errors, validate JSON format, ensure all required fields are present, verify data types match the API specification, and check for special characters that need encoding.
What is the difference between 400 and 404?
400 means your request is malformed or invalid. 404 means the resource was not found. With 400, the problem is how you asked; with 404, the problem is what you asked for does not exist.
Can a 400 error be caused by the server?
No, 400 is a client error indicating the request itself is invalid. If the server has an issue, it returns 5xx errors. However, unclear API documentation can lead developers to send invalid requests.