200 OK                  → Standard successful response
201 Created             → Resource was successfully created (POST)
202 Accepted            → Request accepted but processing is async
204 No Content          → Success, nothing to return (DELETE, PUT)
206 Partial Content     → Range request fulfilled (video streaming)

301 Moved Permanently   → Page has a new permanent URL
302 Found               → Temporary redirect
304 Not Modified        → Client cache is valid, no data sent
307 Temporary Redirect  → Redirect, keep original HTTP method
308 Permanent Redirect  → Redirect, keep method (permanent)

400 Bad Request         → Malformed request syntax
401 Unauthorized        → Login required
403 Forbidden           → Logged in but access denied
404 Not Found           → Resource does not exist
405 Method Not Allowed  → Wrong HTTP method used
408 Request Timeout     → Client took too long
409 Conflict            → Duplicate or state conflict
410 Gone                → Resource permanently deleted
422 Unprocessable Entity→ Validation failed (API body errors)
429 Too Many Requests   → Rate limited

500 Internal Server Error → Something crashed on the server
501 Not Implemented       → Server doesn't support the feature
502 Bad Gateway           → Upstream server returned invalid response
503 Service Unavailable   → Server is down or overloaded
504 Gateway Timeout       → Upstream server didn't respond in time

GET    /users              → List all users
POST   /users              → Create a new user
GET    /users/:id          → Get a specific user
PUT    /users/:id          → Replace a user
PATCH  /users/:id          → Update specific fields
DELETE /users/:id          → Delete a user

GET    /users/:id/posts    → Get all posts by a user
POST   /users/:id/posts    → Create a post for a user

✅ Use nouns, not verbs in URLs  → /users not /getUsers
✅ Use plural resource names     → /products not /product
✅ Use HTTP status codes correctly
✅ Version your API              → /api/v1/users
✅ Filter with query params      → GET /users?role=admin&page=2
✅ Return consistent JSON structure
❌ Avoid /getUserById?id=1
❌ Avoid exposing internal IDs where possible

✅ Keys must be strings in double quotes
✅ Strings must use double quotes
✅ No trailing commas
✅ No comments allowed in strict JSON
✅ Use ISO 8601 for dates: "2024-01-15T08:30:00Z"

User → App → Authorization Server → User approves → Auth code → App exchanges for token

header.payload.signature

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9   ← Header (Base64)
.eyJ1c2VySWQiOjEsInJvbGUiOiJhZG1pbiJ9  ← Payload (Base64)
.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV    ← Signature (HMAC)

1. User logs in with credentials
2. Server validates → creates JWT → sends to client
3. Client stores JWT (localStorage or httpOnly cookie)
4. Client sends JWT on every request:
   Authorization: Bearer <token>
5. Server verifies signature → extracts claims → grants access

✅ Use short expiration times (15m–1h for access tokens)
✅ Use refresh tokens for long sessions
✅ Store in httpOnly cookies (not localStorage) to prevent XSS
✅ Use HTTPS always
✅ Validate signature on every request server-side
❌ Never store sensitive data in JWT payload (it's just Base64)
❌ Don't use "none" algorithm

1. User logs in
2. Server creates a session → stores in memory/DB
3. Server sends session ID in a cookie: Set-Cookie: sessionId=abc123
4. Browser auto-sends cookie on every request
5. Server looks up session by ID → retrieves user data
6. On logout → session is destroyed server-side

✅ Always use HTTPS
✅ Set HttpOnly + Secure flags on auth cookies
✅ Use SameSite=Strict or Lax to prevent CSRF
✅ Implement CSRF tokens for session-based auth
✅ Rotate session IDs after login (session fixation prevention)
✅ Use short-lived JWTs + refresh token rotation
✅ Validate and sanitize all inputs
❌ Never store passwords in plain text → use bcrypt/argon2
❌ Never trust client-side data without server-side validation