Six API endpoints — some return the correct HTTP status code, others have mismatches between the status and the response body. Your job is to find where the status code doesn't match reality.
HTTP status codes are a contract between the server and the client. A 200 OK must mean success, a 500 must mean failure. When status codes are inconsistent with the response body, clients (and tests) can silently pass on broken behaviour.
| True Negative | /api/card/1/ → 200 with valid JSON (correct) |
| True Positive | /api/card/999/ → 404 not found (correct) |
| Bug | /api/card/save/ → 200 but body contains {"error": "Save failed"} |
| Bug | /api/card/update/ → 500 but update actually succeeded |
| True Positive | POST with invalid data → 400 validation error (correct) |
| True Positive | Unauthorized request → 401 (correct) |
200 doesn't mean success500 doesn't mean failure