ActivityPub/Primer/HTTP status codes for delivery

From W3C Wiki

The ActivityPub federation protocol uses an HTTP POST request for sending activities to remote servers. The structure of HTTP gives a limited vocabulary of response codes for HTTP requests. These response codes are 3-digit codes; the first digit indicates a class of status (success, redirect, client error, server error), and the final two digits represent details about the reason for that status.

The ActivityPub specification does not specify how the sending server should respond to each possible status code; it leans on well-defined use of these codes in HTTP and RESTful APIs. The following guidelines give recommendations for how to respond to particular codes. The Wikipedia article List of HTTP status codes covers all codes.

Possible behaviours:

- Delivery is complete; no action - Delivery is not complete; no action; treat as still pending - Retry delivery - Fail delivery permanently

1xx codes

These codes are used for managing the low-level connection information.

100 Continue

This is a low-level status code, and many HTTP client libraries will handle it automatically.

101 Switching Protocols

This is used for changing out of the HTTP system to another protocol, like WebSockets. There is not a standard for using ActivityPub over WebSockets, or other protocols, as of this writing in early 2024. Recommendation: if this is received, permanently fail the delivery.

2xx codes

200 OK

This is used for a successful delivery. You can expect that the activity has been delivered to all addressees and that any side effects have already taken place. Recommended behaviour: no action, delivery is complete.

201 Created

This is unusual for the federation protocol, since delivery does not "create" the activity. Recommendation: treat is as a 200 OK response, no action, delivery is complete.

202 Accepted

This is used for queued delivery. The activity has passed some checks (like authentication, correct addressing) but probably has not been fully delivered, or the side effects have not fully been made. Queuing systems for delivery are pretty common on the fediverse and final delivery might take minutes or, in problematic situations, hours or days. Recommended behaviour: treat as still pending.

204 No Content

This is similar to 200 OK, but does not include any messages. Recommendation: delivery is complete, no action.

3xx codes

These codes are used for redirecting an HTTP request to a different URL. Since the inbox or sharedInbox URLs are derived directly from the ActivityPub actor profile, it would be unusual to need a redirect. One possible cause is an actor that has been cached for a long period, and the implementation has changed in the meantime. Recommended behaviour: ignore 3xx code, refetch the ActivityPub actor.

TBD: detailed responses for each 3xx code, for maximum compatibility.

4xx codes

These are client error codes; it means the request is incorrect and needs to be fixed. Some of these might be recoverable; others are not.

400 Bad Request

TBD

401 Unauthorized

This codes means insufficient authentication information has been passed. It typically means that the ActivityPub/Primer/HTTP Signature on the request is missing or malformed. There may be other reasons this would happen; in particular, a developer that mistakes this code for the 403 code. That said, recommended behaviour is: fail delivery permanently, and check your HTTP Signature code. Another option is if there are additional authentication options to try, choose another and retry the request.

403 Forbidden

This code means that the authentication is correct, but that the authenticated user is not allowed to delivery activities to this address. Typically, this would be for a blocked user or domain, although it might also be used for allow-only private federated networks. Recommended behaviour: fail delivery permanently.

404 Not Found

This code is for when the URL is no longer valid. However, at least one ActivityPub implementation uses a 404 code when the delivered activity is not acceptable (it should probably be a 400 code instead). Recommended behaviour: fail delivery permanently. For maximum compatibility, it may make sense to re-fetch the actor and check for a different inbox URL.

405 Method Not Allowed

This is one of the few codes defined in the ActivityPub specification. It means that this URL is not used for ActivityPub federation protocol -- it's only used for reading the user's inbox. Recommended behaviour: fail delivery permanently, and note that this URL is undeliverable. For maximum compatibility, it may make sense to re-fetch the actor and check for a different inbox URL.

410 Gone

This is used when an URL is no longer available and never will be. It's often used when a resource has been deleted; in the case of ActivityPub inboxes, the most likely scenario is that the user's account has been closed permanently. Recommended behaviour: fail delivery permanently, and note that this URL is undeliverable. For maximum compatibility, it may make sense to re-fetch the actor and check for a different inbox URL.

5xx codes

500 Internal Server Error

501 Not Implemented

502 Bad Gateway

503 Service Unavailable

504 Gateway Timeout

5xx codes