I have an API with a 2 step sign-up flow:
POST with some account information in the body)POST with a verification code received via text or email)I'm thinking the response status codes for these steps should be:
Is this an appropriate use of 202 Accepted?
No, this might not be an appropriate use of 202 Accepted.
The response 202 Accepted indicates that the request has been accepted for processing by the server and that it can't be acted upon.
The 202 (Accepted) status code indicates that the request has been accepted for processing, but the processing has not been completed. The request might or might not eventually be acted upon, as it might be disallowed when processing actually takes place. There is no facility in HTTP for re-sending a status code from an asynchronous operation.
The 202 response is intentionally noncommittal. Its purpose is to allow a server to accept a request for some other process (perhaps a batch-oriented process that is only run once per day) without requiring that the user agent's connection to the server persist until the process is completed. The representation sent with this response ought to describe the request's current status and point to (or embed) a status monitor that can provide the user with an estimate of when the request will be fulfilled.
So you might use 201 Created (like OAuth 2.0 does) as you might be creating the User resource immediately when the user sends the POST request for registration. However, if your registration process is too complex or requires some background operations before you send the confirmation email/SMS you can still look into 202.
See: