HTTP 401 Unauthorized

Authentication required: the server does not know who you are, or your credentials no longer work.

What HTTP 401 means

HTTP 401 Unauthorized means the request was rejected because it lacks valid authentication credentials. Despite the name, it is about authentication (who you are), not authorization (what you may do) — that second case is 403 Forbidden.

A spec-compliant 401 includes a WWW-Authenticate header describing how to authenticate, e.g. Bearer for token APIs or Basic for classic HTTP auth.

Common causes of 401 errors

  • No credentials were sent at all (missing Authorization header or session cookie).
  • An expired, revoked or malformed token — the most common API cause.
  • Wrong authentication scheme (sending an API key where a Bearer token is expected).
  • A logged-out session: cookies expired or were cleared while a tab stayed open.
  • Clock skew making short-lived JWTs appear expired on arrival.

How to fix it as a user

  • Log in again — the session most likely expired.
  • If it loops, clear the site's cookies and sign in fresh.
  • Check that the URL is not an admin or staging area that requires an account you do not have.

How to fix it as a developer

  • Refresh or re-issue expired tokens; implement automatic token refresh in API clients.
  • Send the Authorization header in exactly the expected format (“Bearer <token>” — the word and the space matter).
  • Return 401 only for missing/invalid credentials and 403 for valid users lacking rights, so clients can react correctly.
  • Verify server time sync (NTP) when JWT “exp” validation fails unexpectedly.

Example response

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer realm="api", error="invalid_token", error_description="expired"

FAQ

What is the difference between 401 and 403?

401 means the server does not have valid credentials for you — log in or refresh the token. 403 means it knows who you are and still refuses.

Why do I get 401 with a valid token?

Common causes: expired token, wrong header format, token issued for a different environment or audience, or server clock skew.

Should a failed login return 401?

For APIs, yes with an explanatory body. Web login forms usually return 200 with an error message on the page instead.