401 Unauthorized

The HTTP 401 Unauthorized status code is a client error returned by the server to indicate the request requires Authentication and valid credentials have not been received.

Usage

When a 401 Unauthorized error arrives, the client understands valid login credentials are needed before access to the requested resource is granted. The client needs to first log in, or supply credentials as part of the HTTP request. Existing credentials sent with the request are also not valid. This status is distinct from 403 Forbidden, which informs the client the action is not allowed regardless of credentials.

When the server sends a 401 Unauthorized response, the WWW-Authenticate response header is included. This informs the client of the allowed authorization methods. IANA maintains a list of standard authentication schemes, varying in security and popularity. Common Authentication schemes:

• Basic

  Transmits credentials as ID/password pairs.

• Bearer

  Also known as token authentication, relies on security tokens generated by the server and returned to the client after a successful login. The client sends these tokens in subsequent requests to access secure resources. The server includes error details when needed: WWW-Authenticate: Bearer error="invalid_token", error_description="Token expired".

• Digest

  A challenge-response protocol used to authenticate resource requests.

• HOBA

  Short for HTTP Origin-Bound Authentication, a scheme not requiring the server to store passwords, making the scheme resistant to phishing attacks.

• Mutual

  Also known as two-way authentication, similar to basic and digest schemes, with the difference the server is guaranteed to know the client's encrypted password. Both client and server authenticate each other before the interaction continues.

• AWS4-HMAC-SHA256

  An authentication algorithm providing authentication information to Amazon Web Services AWS S3 API Reference.

More than one Authentication method is specified by the server on multiple lines or a single comma-delimited line. When the client has the required credentials, they are sent using the Authorization request header.

Example

The client requests a resource and the server responds with 401 Unauthorized to indicate the resource is protected. The server indicates support for both Basic and Mutual authorization. The client responds with a username:password pair using the Basic authentication protocol, specified in the Authorization header. The server then transmits the requested resource.

Initial request

GET /documents/tech-news HTTP/1.1
Host: www.example.re

Initial response

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic realm="Documents"
WWW-Authenticate: Mutual

Next request, including Authorization

GET /documents/tech-news HTTP/1.1
Host: www.example.re
Authorization: Basic RXhhbXBsZTphaQ==

Final response

HTTP/1.1 200 OK
Content-Type: application/pdf
Content-Length: 25000

<PDF document included in message body>

How to fix

A 401 Unauthorized means the server requires valid credentials before granting access.

1. Check the WWW-Authenticate header in the response. This header specifies the expected Authentication scheme (Basic, Bearer, Digest, etc.). Match the client request to the required scheme. Open browser DevTools, select the Network tab, and look for the WWW-Authenticate entry under Response Headers.

2. Verify credentials. Confirm the username and password, API key, or bearer token are correct. A single typo or whitespace character in the Authorization header value causes rejection. Test credentials in isolation with curl -H "Authorization: Bearer <token>" to rule out application-level issues.

3. Confirm the token has not expired. Bearer tokens and session tokens have a limited lifetime. Decode a JWT at a local debugger to check the exp claim. Regenerate or refresh the access token through the authentication provider.

4. Match the Authorization header format to the scheme. Basic expects a Base64-encoded username:password pair. Bearer expects a raw token string. An incorrect format triggers a 401 even with valid credentials. A common mistake is omitting the scheme prefix (sending the token alone without Bearer ).

5. Regenerate credentials if needed. Rotate the API key or request a new token from the authorization server. Revoked or invalidated credentials always produce this status.

6. Clear browser cache and Cookies. Stale session cookies or cached Authorization headers conflict with updated credentials. Clear stored data and re-authenticate.

7. Check server-side authentication configuration. Apache .htpasswd files, nginx auth_basic directives, and .htaccess AuthType rules control access. Verify the credentials file path, the realm name, and the user entry exist. In nginx:

   auth_basic "Restricted";
   auth_basic_user_file /etc/nginx/.htpasswd;
   

   In Apache:

   AuthType Basic
   AuthName "Restricted"
   AuthUserFile /etc/apache2/.htpasswd
   Require valid-user
   

8. Verify OAuth scopes and audience claims. An access token with correct credentials but wrong scopes or an aud claim not matching the resource server still triggers 401. Confirm the token is issued for the target API.

Code references

.NET

HttpStatusCode.Unauthorized

Rust

http::StatusCode::UNAUTHORIZED

Rails

:unauthorized

Go

http.StatusUnauthorized

Symfony

Response::HTTP_UNAUTHORIZED

Python3.5+

http.HTTPStatus.UNAUTHORIZED

Java

java.net.HttpURLConnection.HTTP_UNAUTHORIZED

Apache HttpComponents Core

org.apache.hc.core5.http.HttpStatus.SC_UNAUTHORIZED

Angular

@angular/common/http/HttpStatusCode.Unauthorized

Takeaway

The 401 Unauthorized status code indicates authorization is required to access the requested resource. The server informs the client of supported Authentication methods, and the client must authenticate before access is granted.

See also

• RFC 9110: HTTP Semantics
• Google: HTTP status codes and network errors
• 403 Forbidden
• 407 Proxy Authentication Required
• WWW-Authenticate
• Authorization
• Authentication
• HTTP status codes