HTTP Status Codes
HTTP 401 Unauthorized
Unauthorized — valid authentication credentials are missing for the target resource
A 401 Unauthorized response indicates that the request cannot access the target resource because valid authentication credentials were not provided or were rejected. It differs from 403 because a 401 still leaves open the possibility that correct credentials would grant access. Servers commonly pair 401 with a WWW-Authenticate header so the client knows which authentication scheme is expected.
Visual summary
A quick reference view of how HTTP 401 works: An unknown user or request being stopped at a security checkpoint because they have no ID.

What 401 Means
The shortest useful reading of this status code.
Unauthorized means valid authentication credentials are missing for the target resource.
This status falls into the 4xx class, indicating a client-side error outcome for the request.
Quick read
Unauthorized
valid authentication credentials are missing for the target resource
Technical Context
How this status behaves without turning the page into a repair guide.
Standard usage
A 401 response is fundamentally about authentication, not authorization. The server is saying the client has not successfully proved its identity for the protected resource, so the request cannot proceed yet.
Technical nuance
That distinction separates 401 from 403. A 403 means the client is recognized but still not allowed, while a 401 means the authentication layer failed or was missing. APIs often return 401 when tokens expire, signatures do not validate, or credentials are omitted entirely.
Related HTTP Codes
Nearby HTTP status codes help clarify how 401 differs inside the same response family.
401
Unauthorized
valid authentication credentials are missing for the target resource
403
Forbidden
the server understood the request but refuses to authorize it
407
Proxy Authentication Required
client must authenticate with a proxy before forwarding the request
400
Bad Request
the server cannot process the request because it is malformed
Common Causes
Missing Authorization header or session cookie
A common condition that triggers a 401 response when the web server evaluates the transaction.
Expired access token or login session
A common condition that triggers a 401 response when the web server evaluates the transaction.
Invalid API key, bearer token, or signature
A common condition that triggers a 401 response when the web server evaluates the transaction.
Unsupported authentication scheme for that endpoint
A common condition that triggers a 401 response when the web server evaluates the transaction.
Typical Scenarios
An API request is sent without the bearer token the endpoint expects
A browser session expires and the next protected request loses authentication state
A signed request reaches the server with an invalid or outdated signature
What To Know
A 401 is usually limited to protected endpoints rather than the entire site. When many authenticated requests begin failing at once, the common pattern is an expired credential set, a signing mismatch, or a change in how the application expects authentication headers to be sent.
Frequently Asked Questions
Common interpretation questions about HTTP 401.
A 401 means the request has not been authenticated successfully. A 403 means the server recognizes the client but still denies access to the resource.
Expired tokens fail the authentication check because they no longer represent a valid session or identity claim. From the server's perspective, the credentials are no longer acceptable for that request.
No. It can also mean the credentials were present but invalid, expired, malformed, or signed in a way the server could not verify.