I have an API endpoint and the request should have a cookie (not authentication). What would be the correct HTTP status code to return if it isn't present?
I would assume a 400 Bad Request would be the best.
No much details are provided in your question, but I guess 400 (Bad Request) is a good option:
The
400(Bad Request) status code indicates that the server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid request message framing, or deceptive request routing).
However, depending on your requirements, you also could consider the 422 (Unprocessable Entity) status code, defined in the WebDAV specification, which is just an extension of the HTTP protocol:
11.2. 422 Unprocessable Entity
The
422(Unprocessable Entity) status code means the server understands the content type of the request entity (hence a415(Unsupported Media Type) status code is inappropriate), and the syntax of the request entity is correct (thus a400(Bad Request) status code is inappropriate) but was unable to process the contained instructions. For example, this error condition may occur if an XML request body contains well-formed (i.e., syntactically correct), but semantically erroneous, XML instructions.
Just remember providing a good description in the response payload explaining what's missing in the request.