Proper 404 Status Codes for Non-Existent API Endpoints

Currently, when calling non-existent API methods (e.g. api/NonExistentMethod), the API returns a 200 OK status code instead of the expected 404 Not Found. This happens because the catch-all route /api/[{params:.*}] in apiroutes.php processes all requests, even invalid ones.

Why this matters:

  • API security tools and firewalls rely on proper HTTP status codes for threat detection

  • Third-party API monitoring tools need accurate status codes for error reporting

  • Client applications cannot properly distinguish between valid and invalid endpoints

  • It violates REST API best practices which require 404 responses for non-existent resources

Proposed solution in apiroutes.php:

$app->any('/api/[{params:.*}]', function ($request, $response) {
    throw new HttpNotFoundException($request);
})
->add(JwtMiddleware::class)
->setName("catchall");

This simple change ensures:

  1. Proper 404 responses for non-existent endpoints

  2. Better integration with API security tools

  3. Accurate error reporting in monitoring systems

  4. Compliance with REST API standards

The implementation is minimal and maintains all existing functionality including JWT authentication.

1 Like

Note that v2025 still supports the deprecated $API_ACTIONS which requires the “catchall” routes.