Re: HTTP response codes. Looking at the code, it appears we are returning 401 Unauthorized for bad credentials, 403 Forbidden for good credentials but not allowed to perform requested operation, and 400 Bad Request for all other conditions. I agree that 404 would make sense in this case, and 500 would probably be a better choice for generic unhandled exception.
Without seeing how you are building up the Uri in PerformNodeMuting, I have to guess at the cause. Are you combining SrcNodeID with DestInterfaceID to form the Uri? Because those are from different devices, so a Uri made by combining them will not refer to anything. What if you ask SWIS for the Uri in your initial query? Like this:
SELECT DestInterfaceID, N.NodeName, I.InterfaceName, I.Uri FROM Orion.TopologyConnections TC JOIN Orion.NPM.Interfaces I ...
