Unauthorized
Client Error (4xx)The 401 Unauthorized status code indicates that the request lacks valid authentication credentials. Despite the name, it is about authentication (who you are), not authorization (what you can do). The server includes a WWW-Authenticate header indicating the authentication scheme required. The client should retry with valid credentials.
What is HTTP 401 Unauthorized?
HTTP 401 Unauthorized is a client error (4xx) status code. The 401 Unauthorized status code indicates that the request lacks valid authentication credentials. Despite the name, it is about authentication (who you are), not authorization (what you can do). The server includes a WWW-Authenticate header indicating the authentication scheme required. The client should retry with valid credentials. Common causes include missing authentication token or api key and expired jwt or session token. To fix it, include a valid authorization header (bearer token, basic auth, api key).
Example Response
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer realm="api"
Content-Type: application/json
{"error": "Invalid or expired token"} Common Causes
- • Missing authentication token or API key
- • Expired JWT or session token
- • Invalid username or password
- • Malformed Authorization header
How to Fix
- 1. Include a valid Authorization header (Bearer token, Basic auth, API key)
- 2. Refresh expired tokens using the refresh token flow
- 3. Verify credentials are correct and the account is active
- 4. Check that the token has not been revoked
- 5. Ensure the Authorization header format matches the server's expected scheme
Frequently Asked Questions
What is the difference between 401 and 403?
401 means the client is not authenticated (identity not verified). 403 means the client is authenticated but not authorized to access the resource. 401 says 'who are you?' while 403 says 'you do not have permission.'
Why is it called Unauthorized instead of Unauthenticated?
This is a widely acknowledged naming mistake in the HTTP specification. 401 is about authentication (verifying identity), not authorization (verifying permissions). 403 Forbidden is the actual authorization error.
How should I handle 401 in a web app?
Redirect the user to a login page or trigger a token refresh. For SPAs, intercept 401 responses globally and attempt to refresh the access token. If refresh fails, redirect to login.