HTTP 402 Payment Required
HTTP 402 Payment Required is a reserved status code with no normative definition in RFC 9110 beyond the note "reserved for future use." Despite this, it is commonly used in practice by APIs and SaaS platforms to indicate that payment, a subscription, or a quota purchase is required to access the requested resource.
Quick reference
| Code | 402 |
|---|---|
| Name | Payment Required |
| Category | 4xx Client Errors |
| Specification | RFC 9110 §15.5.3 (reserved, no formal definition) |
| IANA status | Assigned (reserved for future use) |
| Formal behavior | Undefined. Behavior is implementation-specific. |
| In-depth guide | HTTP 402 usage guide → |
What it means
RFC 9110 reserves 402 "for future use" with no definition of what that use should be. The code was originally intended for a micropayment or digital currency system that was envisioned in the early web but never materialized. As a result, 402 has no specified semantics, no defined response headers, and no required client behavior.
In the absence of a standard definition, the developer community has converged on using 402 informally to mean "you need to pay to access this." Many APIs and SaaS platforms use it as a signal that the user's account is on a free tier that excludes the requested feature, the account's usage quota has been exhausted and requires a paid upgrade, or the endpoint requires a subscription that the current account does not have.
Since 402 has no formal specification, any usage is technically nonstandard. Teams that need a payment-gating signal should document the meaning clearly in their API documentation rather than relying on clients to infer it from the status code alone.
Notable real-world usage
Stripe returns 402 when a card charge fails. Various AI and LLM APIs return 402 when a usage credit limit is reached. Some SaaS platforms return 402 to distinguish quota-exceeded-requires-upgrade from simple rate limiting (which uses 429). GitHub uses 402 in some contexts for features requiring a paid plan.
402 vs 403 vs 429
The choice between these codes for payment-related access denial is a judgment call, since 402 is undefined:
| Code | Signal | When to use |
|---|---|---|
| 402 | Payment or subscription required | When the block is specifically about payment — upgrade, quota purchase, subscription |
| 403 | Access denied — no credentials will change this | When the resource is restricted by plan/tier but payment framing isn't useful |
| 429 | Rate limit exceeded | When a soft quota (time-window limit) is hit — not a hard paywall |
For a hard paywall where no amount of retrying will help without payment, 402 or 403 are both reasonable choices. 402 carries the payment-specific connotation that 403 does not, making it slightly more informative for the client developer. For soft quota limits that reset over time, 429 with a Retry-After header is more precise.
Related resources
On this site: HTTP 402 usage guide · HTTP 403 Forbidden · HTTP 429 Too Many Requests · HTTP 401 Unauthorized · All 4xx client errors
Standards: RFC 9110 §15.5.3 · IANA Registry · MDN Web Docs: 402