401 Unauthorized (RFC 7235)
This is an educational reference page about HTTP 401 Unauthorized. The page itself is served as 200 OK so it can be indexed as HTTP documentation.
Similar to 403 Forbidden, but specifically for use when authentication is required and has failed or has not yet been provided. The response must include a WWW-Authenticate header field containing a challenge applicable to the requested resource. See Basic access authentication and Digest access authentication. 401 semantically means "unauthorised", the user does not have valid authentication credentials for the target resource. Note: Some sites incorrectly issue HTTP 401 when an IP address is banned from the website (usually the website domain) and that specific address is refused permission to access a website.
What it means
HTTP 401 Unauthorized means authentication is required, missing, invalid, or expired. The client may try the request again with valid credentials.
Common causes
- Missing Authorization header, expired session, or invalid API token.
- The request used the wrong authentication scheme.
- The server requires login before it can evaluate the resource request.
How to fix it
- Send a WWW-Authenticate header when challenging an unauthenticated client.
- Refresh expired tokens or re-authenticate the user.
- Use 403 instead when the user is authenticated but not allowed to access the resource.
Example response
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer realm="api"
Content-Type: application/json
{"error":"Missing access token"}Developer notes
401 is about authentication. 403 is about authorization.
Questions
What does HTTP 401 mean?
HTTP 401 means the request needs valid authentication before the server can return the protected resource.
Is 401 the same as 403?
No. Use 401 when credentials are missing or invalid. Use 403 when the client is authenticated but not allowed.