imo if you are a smaller organization and strict on security neither is a good idea because you make your system vulnerable to probing attacks, i.e. when a malicious actor tries to find out if a user with a given email address already exists. While 409 is semantically correct for the state of the resource, exposing that information creates a vulnerability. The secure way to handle this is to make your API's response ambiguous. The sign-up endpoint should always return the same generic, success-like response, regardless of whether the email already exists. E.g. a 200 or 202 will do. I am aware this is rather bad from a UX perspective but unless you have some advanced probing identification like Google, I suggest against sharing if an email exists.