HTTP Authentication Schemes — 401 Basic, Bearer, Digest, and OAuth Errors

Overview

Guide to HTTP authentication errors including 401 Unauthorized with Basic, Bearer token, Digest, and OAuth authentication schemes and their common failure modes.

Key Details

• HTTP 401 Unauthorized means the request lacks valid authentication credentials
• The WWW-Authenticate header in the 401 response specifies which authentication scheme to use
• Basic auth sends base64-encoded credentials — must use HTTPS to prevent interception
• Bearer tokens (JWT, OAuth) are the most common API authentication method
• Digest auth hashes credentials but is rarely used in modern applications

Common Causes

• Missing or expired authentication token in the Authorization header
• Incorrect authentication scheme (sending Basic when Bearer is required)
• Token expired or revoked but client still using the old token
• API key sent in wrong location (header vs query parameter vs body)

Steps

1. 1Check the WWW-Authenticate header in the 401 response to identify the required auth scheme
2. 2For Bearer auth: verify the token is not expired (decode JWT and check exp claim)
3. 3Implement token refresh: use the refresh token to obtain a new access token before it expires
4. 4Ensure the Authorization header format is correct: 'Bearer <token>' with a space after Bearer
5. 5For Basic auth: verify credentials are base64-encoded as 'username:password'
6. 6Check if the API requires additional headers like X-API-Key alongside Bearer tokens

Tags

Related Items

More in 4xx Client Error

Frequently Asked Questions