Below the codes in use are described:
400 Bad Request
The resource could not be parsed or failed basic FHIR validation rules (or multiple matches were found for conditional criteria)
The server cannot process the request due to an apparent client error (e.g., malformed request syntax, size too large, invalid request message framing, or deceptive request routing).[31]
401 Unauthorized (RFC 7235)
Authorization is required for the interaction that was attempted.
Similar to 403 Forbidden, but specifically for use when authentication is required and has failed or has not yet been provided. The response must include a WWW-Authenticate header field containing a challenge applicable to the requested resource. See Basic access authentication and Digest access authentication.[32] 401 semantically means "unauthorized",[33] the user does not have valid authentication credentials for the target resource.
Note: Some sites incorrectly issue HTTP 401 when an IP address is banned from the website (usually the website domain) and that specific address is refused permission to access a website.[citation needed]
Authorization failed due to lack of privileges.
The request contained valid data and was understood by the server, but the server is refusing action. This may be due to the user not having the necessary permissions for a resource or needing an account of some sort, or attempting a prohibited action (e.g. creating a duplicate record where only one is allowed). This code is also typically used if the request provided authentication by answering the WWW-Authenticate header field challenge, but the server did not accept that authentication. The request should not be repeated.
Resource type not supported, or not a FHIR end-point
The requested resource could not be found but may be available in the future. Subsequent requests by the client are permissible.
405 Method Not Allowed
The resource did not exist prior to the update, and the server does not allow client defined ids
A request method is not supported for the requested resource; for example, a GET request on a form that requires data to be presented via POST, or a PUT request on a read-only resource.
422 Unprocessable Entity
The proposed resource violated applicable FHIR profiles or server business rules
The request was well-formed but was unable to be followed due to semantic errors.[16]
5xx Server errors
The server failed to fulfill a request.[61]
Response status codes beginning with the digit "5" indicate cases in which the server is aware that it has encountered an error or is otherwise incapable of performing the request.
5xx server errors will most likely be seen when an environment is unable to process a request due to lack of resources. Retrying a request that returns a 503 or 504 will likely succeed when resource are available.
500 Internal Server Error
This is usually a program error, and should be reported.
A generic error message, given when an unexpected condition was encountered and no more specific message is suitable.[63]
502 Bad Gateway
This can be returned temporary when a new configuration is being committed to the environment.
The server was acting as a gateway or proxy and received an invalid response from the upstream server.[65]
503 Service Unavailable
“No healthy upstream error“
The server cannot handle the request (because it is overloaded or down for maintenance). Generally, this is a temporary state.[66]
504 Gateway Timeout The server was acting as a gateway or proxy and did not receive a timely response from the upstream server.[67]