Convention for HTTP response header to notify clients of deprecated API

I'm upgrading our REST API endpoints and I want to notify clients when they are calling the to-be-deprecated endpoint.
What header should I use in the response with a message along the lines of "This API version is being deprecated, please consult the latest documentation to update your endpoints"


I would not change anything in the status code to be backward compatible. I would add a "Warning" header in the response :

Warning: 299 - "Deprecated API"

You can also specify the "-" with the "Agent" that emits the warning, and be more explicit in the warn-text :

Warning: 299 api.blazingFrog.com "Deprecated API: use betterapi.blazingFrog.com instead. Old API maintained until 2015-06-02"

Warning header is specified here: https://www.rfc-editor.org/rfc/rfc7234#section-5.5. Warn-code 299 is generic, "Deprecated" is not standard.

You have to tell your API clients to log the HTTP warnings and monitor it.

I've never used it until now, but when my company will be more mature in Rest API I will integrate it.

Edit (2019-04-25): As @Harry Wood mentioned it, the Warning header is in a chapter related to caching in the documentation. However, the RFC is clear Warnings can be used for other purposes, both cache-related and otherwise.

If you prefer an alternate method, this draft https://datatracker.ietf.org/doc/html/draft-dalal-deprecation-header-00 suggests a new header "Deprecation".

Edit (2021-01-04) : As @Dima Parzhitsky mentioned it, MDN says this header is deprecated


You could use 410 (Gone).

Here's how W3C's Status Code Definitions describe it:

410 (Gone)

The requested resource is no longer available at the server and no forwarding address is known. This condition is expected to be considered permanent. Clients with link editing capabilities SHOULD delete references to the Request-URI after user approval. If the server does not know, or has no facility to determine, whether or not the condition is permanent, the status code 404 (Not Found) SHOULD be used instead. This response is cacheable unless indicated otherwise.

The 410 response is primarily intended to assist the task of web maintenance by notifying the recipient that the resource is intentionally unavailable and that the server owners desire that remote links to that resource be removed. Such an event is common for limited-time, promotional services and for resources belonging to individuals no longer working at the server's site. It is not necessary to mark all permanently unavailable resources as "gone" or to keep the mark for any length of time -- that is left to the discretion of the server owner.


I would/ have gone with 301 (Moved Permanently) The 300 series codes are supposed to tell the client they have an action to do.


Refining @dret's response. There are two relevant HTTP headers for deprecation: Deprecation (https://datatracker.ietf.org/doc/html/draft-dalal-deprecation-header-00) and Sunset.

To inform users about the planned deprecation, the Deprecation HTTP header should be used. This indicates that the endpoint will be dropped some time in the future. It also allows you to indicate the date when this was announced, and to describe alternate resources.

To inform users about the planned sunset date of the deprecated resource, the Sunset header should be used in addition to the Deprecation header. This is described in section #5 https://datatracker.ietf.org/doc/html/draft-dalal-deprecation-header-00#section-5.

Draft #11 https://datatracker.ietf.org/doc/html/draft-wilde-sunset-header-11 of the Sunset header clarifies this aspect as well in section 1.4 https://datatracker.ietf.org/doc/html/draft-wilde-sunset-header-11#section-1.4.