401 vs 403: Unauthorized or Forbidden?
Use 401 when the client should authenticate. Use 403 when the client is authenticated or known, but still not allowed.
Status codes in this guide
Quick comparison
| Question | 401 Unauthorized | 403 Forbidden |
| Main problem | Authentication missing, invalid, or expired. | Authorization denied for this resource or action. |
| Client action | Log in, refresh token, or send credentials. | Do not retry unless permissions change. |
| Header | Usually includes WWW-Authenticate. | Usually does not challenge authentication. |
Questions
Should an API return 401 or 403 for an expired token?
Return 401 when the token is expired or invalid because the client can authenticate again.
Should a logged-in user without permission get 401 or 403?
Return 403 when the user is logged in but lacks permission for the resource.