What is HTTP Error 405 (Method Not Allowed) and How to Fix

What is HTTP Error 405 (Method Not Allowed) and How to Fix

User Avatar
The Postman Team

Understand the HTTP 405 Method Not Allowed Error:

An HTTP 405 Method Not Allowed error can bring your API workflow to a halt. The server understands your request but rejects it because the HTTP method isn’t allowed for the specific resource. Understanding this HTTP status code helps you resolve issues faster and design more resilient APIs, whether you’re debugging a REST API or integrating a third-party service.

Question Answer
When does 405 occur? When you use an HTTP method that isn’t supported for a specific resource.
What should the response include? The Allow header, listing permitted methods.
How do I find allowed methods? Check the Allow header or send an OPTIONS request.
Is the resource missing? No. 404 indicates a missing resource. 405 means the resource exists but doesn’t support your method.
Can authentication cause 405? No. Authentication issues return 401 or 403. 405 is purely about method restrictions.
How do I prevent 405 errors? Follow REST conventions, document supported methods clearly, and return helpful error messages with the Allow header.


Try Postman today →

What is an HTTP 405 error?

The HTTP status code 405, Method Not Allowed, means that your request reached the server and the resource exists, but the server refuses the method (such as POST, PUT, or DELETE) used on that endpoint. This usually happens when the endpoint is read-only or the API is designed to handle only specific methods.

Key characteristics of 405 errors

  • The server must include an Allow header in the response, listing permitted methods.

  • The resource exists (unlike 404 Not Found).

  • The request syntax is valid (unlike 400 Bad Request).

  • Authentication is not the issue (unlike 401 Unauthorized or 403 Forbidden).

Example response:

HTTP/1.1 405 Method Not Allowed
Allow: GET, HEAD
Content-Type: application/json

{
  "error": "Method Not Allowed",
  "message": "POST is not supported for this endpoint. Use GET instead.",
  "allowed_methods": ["GET", "HEAD"]
}

This confirms the issue is with the request method, not the request body.

Common causes of HTTP 405

While the 405 message is simple, the reasons behind it can vary. Here are the most common causes:

Using the wrong request method

This is the most frequent cause of 405 errors. For example:

POST /api/users/123 → 405 Error

GET /api/users/123 → Works

The endpoint may only allow GET requests for reading data, not modifications.

Incorrect endpoint or URL structure

If you send data to the wrong endpoint, such as trying to POST to /users/123 instead of /users, the server returns 405. Always double-check pluralization and versioning in your URLs.

Routing or server misconfiguration

Improper route definitions in your backend framework or incorrect limit_except directives in Nginx can cause the server to reject valid methods.

CORS preflight failures

When the browser sends an OPTIONS preflight request and the server doesn’t respond properly, the browser never sends your main request, resulting in a 405 error.

Framework restrictions

In frameworks like Flask or Express, methods are defined explicitly. For example:

@app.route('/api/resource', methods=['GET'])
def get_resource():
    return jsonify({"data": "example"})

Calling this route with POST or PUT returns a 405.

How to fix HTTP 405 errors

If you encounter a 405, follow this step-by-step guide for troubleshooting and debugging:

1. Check the API documentation

Review the official API docs to confirm which methods are supported for the endpoint you’re using.

2. Inspect the Allow header

The server response should include an Allow header that lists all valid methods:

Allow: GET, PUT, OPTIONS

If you’re unsure which methods are valid, try an OPTIONS request.

3. Test supported methods with OPTIONS

You can use Postman or cURL to send an OPTIONS request:

OPTIONS /api/users/123 HTTP/1.1
Host: api.example.com

Example response:

HTTP/1.1 200 OK
Allow: GET, PUT, DELETE, HEAD, OPTIONS

This confirms which methods you can safely use.

4. Verify endpoint URL

A small typo can trigger a 405. Double-check for capitalization differences, trailing slashes, or version mismatches (/v1/users vs /v2/users).

5. Review server configuration

In Apache or nginx, check your .htaccess file for restricted methods or outdated modules.

Ensure your Apache configuration doesn’t restrict valid methods:

location /api/data {
    limit_except GET HEAD {
        deny all;
    }
}

Adjust as needed to allow additional methods.

6. Fix routing rules in your application

If you’re using Flask, Express, or Django, ensure that routes include all required methods. Example:

// Express.js
app.route('/api/users/:id')
   .get(getUser)
   .put(updateUser)
   .delete(deleteUser);

7. Recheck authentication and permissions

Even though 405 is not an authentication error, some APIs restrict methods to specific roles. Certain plugins or server configurations can also restrict permissions, resulting in a 405 error. Ensure your credentials allow the attempted operation.

8. Test and validate in Postman

Postman makes diagnosing 405 errors straightforward:

  • Create a new request and switch between methods (GET, POST, PUT).

  • Observe the Allow header in responses.

  • Automate verification with a test script:

pm.test("Validate 405 Response", function () {
  pm.response.to.have.status(405);
  pm.response.to.have.header("Allow");
});

How to prevent 405 errors

Designing robust APIs reduces the chance of running into 405 responses. Follow these best practices:

Follow RESTful conventions

Use standard HTTP methods for common operations:

Operation Method Example
Retrieve users GET /api/users
Retrieve specific user GET /api/users/123
Create a new user POST /api/users
Update user PUT / PATCH /api/users/123
Delete user DELETE /api/users/123

Always include the Allow header

When rejecting a request, tell the client what is allowed:

HTTP/1.1 405 Method Not Allowed
Allow: GET, PUT, DELETE

Handle OPTIONS requests properly

Ensure your API supports OPTIONS requests to help clients and browsers discover valid methods and enable CORS.

Provide clear error messages

Avoid generic 405 responses. Include details that guide developers:

{
  "error": "Method Not Allowed",
  "message": "POST is not supported for /api/users/123. Use PUT to update or POST to /api/users to create a new user.",
  "allowed_methods": ["GET", "PUT", "DELETE"]
}

Document supported methods

Maintain accurate API documentation so developers know which HTTP methods are permitted per endpoint.

Common 405 scenarios

Scenario Wrong request Correct request
Modifying a read-only resource POST /api/posts/123/views POST /api/posts/123/view
Creating resources at specific IDs POST /api/users/123 POST /api/users
Using POST for search POST /api/products/filter GET /api/products?category=electronics
Missing route definition Route defined for GET only Add PUT or DELETE methods to the route

HTTP 405 vs other status codes

Code Meaning Example
400 Bad Request Invalid syntax or malformed data POST /users {bad-json}
401 Unauthorized Missing or invalid credentials GET /users/123 (no token)
403 Forbidden Authenticated but lacking permission DELETE /users/123 as standard user
404 Not Found Resource doesn’t exist GET /users/999
405 Method Not Allowed Wrong HTTP method for the resource POST /users/123 instead of PUT

Testing and debugging with Postman

Postman is the easiest way to test, debug, and prevent 405 errors:

  • Quickly switch between HTTP methods in the same request.

  • View Allow headers directly in the response pane.

  • Send OPTIONS requests to discover supported methods.

  • Automate regression tests using Collections or the Postman CLI.

By testing regularly and documenting clearly, you can eliminate most 405 errors long before they reach production.

Final thoughts

A 405 indicates that your API and client are not in sync, not that it is a failure. Fixing it means aligning HTTP methods with server rules and communicating those rules clearly. With Postman, you can uncover, reproduce, and prevent 405 errors in just a few clicks.

In this post

Tags:
User Avatar

The Postman Team

Postman is the single platform for designing, building, and scaling APIs—together. Join over 40 million users who have consolidated their workflows and leveled up their API game—all in one powerful platform.

View all posts by The Postman Team →

What do you think about this topic? Tell us in a comment below.

Comment

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.

You might also like

HTTP PATCH Method: Partial Updates for RESTful APIs

User Avatar

What is the HTTP PATCH method? The HTTP PATCH method applies partial modifications to a resource identified by a specific URI. PATCH…

Read more →

What is API Rate Limiting? Understanding Request Throttling and Best Practices

User Avatar

API Rate Limiting: Quick Reference Question Answer What happens when limits are exceeded? The API returns a 429 Too Many Requests status,…

Read more →

REST API Best Practices: A Developer’s Guide to Building Reliable APIs

User Avatar

Quick reference Use nouns, not verbs. URLs represent resources, and HTTP methods define what happens. Use correct HTTP methods. GET, POST, PUT,…

Read more →