HTTP 401 Unauthorized — What It Means & How to Fix It

The HTTP 401 Unauthorized status code indicates the request requires authentication. The client must provide valid credentials to access the resource. This guide covers everything you need to know about this topic, including common causes, step-by-step solutions, and answers to frequently asked questions.

Here are the key things to understand: Despite its name, 401 means unauthenticated, not unauthorized (which is 403).. The response should include a WWW-Authenticate header indicating the authentication method.. Common authentication schemes include Basic, Bearer (token), and Digest.. The client should retry the request with proper authentication credentials.. API keys, JWTs, or session cookies may be missing or expired.. Understanding these fundamentals will help you diagnose and resolve this issue more effectively.

The most common reasons this occurs include: No authentication credentials were provided in the request.. The provided API key, token, or session cookie is invalid or expired.. The Authorization header is malformed or uses an unsupported scheme.. A login session has timed out and needs to be refreshed.. Identifying the root cause is the first step toward finding the right solution.

To resolve this, follow these recommended steps: Check that you are including the correct authentication credentials in your request.. Verify your API key or token has not expired.. Ensure the Authorization header uses the correct scheme (Bearer, Basic, etc.).. If using sessions, check if you need to log in again.. Review the WWW-Authenticate response header for the expected authentication method.. If these steps do not resolve the issue, consider consulting additional resources or a qualified professional.

This article is part of our HTTP Status Codes collection on Error Codes Wiki. We provide comprehensive, up-to-date information to help you find solutions quickly.