what should be HTTP status code for credentials Expired error/exception?
As the timestamp is invalid, I think the token is invalid. So the client is not authenticated anymore. So I would throw a 401 Unauthorized. You're free to add extra data of the context as HTTP header with the X- prefix, or to add a response body encoded according to the Accept request header (json, text, etc.). Like:
{
"error": {
"status": 401,
"details": {
"code": "401.3",
"description": "The timestamp provided must not be in the future."
}
}
}
It is not a 403 Forbidden : 403 means "the client is authenticated but does not have the right to send this request". In your case, I think the client is not authenticated any more.