API Key Authentication 401 — Invalid, Missing, or Expired API Key Errors

Overview

Fix API key authentication failures returning 401 Unauthorized or 403 Forbidden when the API key is missing, invalid, expired, or lacks required permissions.

Key Details

• API keys authenticate the calling application (not the user) to an API service
• Keys are typically sent via request headers (X-API-Key, Authorization: Bearer), query parameters, or cookies
• A 401 response means the key is missing or invalid; 403 means the key is valid but lacks permissions
• API keys can be scoped to specific endpoints, rate limits, or IP addresses
• Leaked API keys should be rotated immediately — check public repositories, logs, and client-side code

Common Causes

• API key not included in the request headers or included in the wrong header
• API key expired or revoked by the service provider
• Key has insufficient permissions for the requested endpoint or operation
• API key accidentally committed to a public git repository and automatically revoked

Steps

1. 1Verify the API key is sent in the correct header format as specified by the API documentation
2. 2Check the API dashboard to confirm the key is active, not expired, and has the correct permissions
3. 3Ensure the key is stored in environment variables, not hardcoded in source code
4. 4Rotate the key immediately if it may have been exposed in logs, repositories, or client-side code
5. 5Test with curl to isolate whether the issue is in your code or the key itself: curl -H 'X-API-Key: YOUR_KEY' URL

Tags

Related Items

More in 4xx Client Error

Frequently Asked Questions