HTTP Status Codes

HTTP 401 Unauthorized

401
MediumWeb ServerReference page

Unauthorized — valid authentication credentials are missing for the target resource

A 401 Unauthorized response indicates that the request cannot access the target resource because valid authentication credentials were not provided or were rejected. It differs from 403 because a 401 still leaves open the possibility that correct credentials would grant access. Servers commonly pair 401 with a WWW-Authenticate header so the client knows which authentication scheme is expected.

Visual summary

A quick reference view of how HTTP 401 works: An unknown user or request being stopped at a security checkpoint because they have no ID.

HTTP 401 visual summary showing an unknown user or request being stopped at a security checkpoint because they have no id.
Visual summary: 401 means the client is missing valid authentication credentials.

What 401 Means

The shortest useful reading of this status code.

Unauthorized means valid authentication credentials are missing for the target resource.

This status falls into the 4xx class, indicating a client-side error outcome for the request.

Quick read

Unauthorized

valid authentication credentials are missing for the target resource

Technical Context

How this status behaves without turning the page into a repair guide.

Standard usage

A 401 response is fundamentally about authentication, not authorization. The server is saying the client has not successfully proved its identity for the protected resource, so the request cannot proceed yet.

Technical nuance

That distinction separates 401 from 403. A 403 means the client is recognized but still not allowed, while a 401 means the authentication layer failed or was missing. APIs often return 401 when tokens expire, signatures do not validate, or credentials are omitted entirely.

Related HTTP Codes

Nearby HTTP status codes help clarify how 401 differs inside the same response family.

Common Causes

Missing Authorization header or session cookie

A common condition that triggers a 401 response when the web server evaluates the transaction.

Expired access token or login session

A common condition that triggers a 401 response when the web server evaluates the transaction.

Invalid API key, bearer token, or signature

A common condition that triggers a 401 response when the web server evaluates the transaction.

Unsupported authentication scheme for that endpoint

A common condition that triggers a 401 response when the web server evaluates the transaction.

Typical Scenarios

01

An API request is sent without the bearer token the endpoint expects

02

A browser session expires and the next protected request loses authentication state

03

A signed request reaches the server with an invalid or outdated signature

What To Know

A 401 is usually limited to protected endpoints rather than the entire site. When many authenticated requests begin failing at once, the common pattern is an expired credential set, a signing mismatch, or a change in how the application expects authentication headers to be sent.

Frequently Asked Questions

Common interpretation questions about HTTP 401.

A 401 means the request has not been authenticated successfully. A 403 means the server recognizes the client but still denies access to the resource.

Expired tokens fail the authentication check because they no longer represent a valid session or identity claim. From the server's perspective, the credentials are no longer acceptable for that request.

No. It can also mean the credentials were present but invalid, expired, malformed, or signed in a way the server could not verify.