Unauthorized — valid authentication credentials are missing for the target resource
What 401 Means
The 401 error on the HTTP Status-Codes indicates unauthorized — valid authentication credentials are missing for the target resource. This typically occurs due to missing authorization header or session cookie.
A 401 Unauthorized response indicates that the request cannot access the target resource because valid authentication credentials were not provided or were rejected. It differs from 403 because a 401 still leaves open the possibility that correct credentials would grant access. Servers commonly pair 401 with a WWW-Authenticate header so the client knows which authentication scheme is expected.
Technical Background
A 401 response is fundamentally about authentication, not authorization. The server is saying the client has not successfully proved its identity for the protected resource, so the request cannot proceed yet.
That distinction separates 401 from 403. A 403 means the client is recognized but still not allowed, while a 401 means the authentication layer failed or was missing. APIs often return 401 when tokens expire, signatures do not validate, or credentials are omitted entirely.
Common Causes
- Missing Authorization header or session cookie
- Expired access token or login session
- Invalid API key, bearer token, or signature
- Unsupported authentication scheme for that endpoint
Typical Scenarios
- An API request is sent without the bearer token the endpoint expects
- A browser session expires and the next protected request loses authentication state
- A signed request reaches the server with an invalid or outdated signature
What to Know
A 401 is usually limited to protected endpoints rather than the entire site. When many authenticated requests begin failing at once, the common pattern is an expired credential set, a signing mismatch, or a change in how the application expects authentication headers to be sent.
Frequently Asked Questions
Common questions about HTTP 401 error
A 401 means the request has not been authenticated successfully. A 403 means the server recognizes the client but still denies access to the resource.
Expired tokens fail the authentication check because they no longer represent a valid session or identity claim. From the server's perspective, the credentials are no longer acceptable for that request.
No. It can also mean the credentials were present but invalid, expired, malformed, or signed in a way the server could not verify.