HTTP Authentication Schemes — 401 Basic, Bearer, Digest, and OAuth Errors
About HTTP Authentication Schemes
Guide to HTTP authentication errors including 401 Unauthorized with Basic, Bearer token, Digest, and OAuth authentication schemes and their common failure modes. This guide covers everything you need to know about this topic, including common causes, step-by-step solutions, and answers to frequently asked questions.
Here are the key things to understand: HTTP 401 Unauthorized means the request lacks valid authentication credentials. The WWW-Authenticate header in the 401 response specifies which authentication scheme to use. Basic auth sends base64-encoded credentials — must use HTTPS to prevent interception. Bearer tokens (JWT, OAuth) are the most common API authentication method. Digest auth hashes credentials but is rarely used in modern applications. Understanding these fundamentals will help you diagnose and resolve this issue more effectively.
The most common reasons this occurs include: Missing or expired authentication token in the Authorization header. Incorrect authentication scheme (sending Basic when Bearer is required). Token expired or revoked but client still using the old token. API key sent in wrong location (header vs query parameter vs body). Identifying the root cause is the first step toward finding the right solution.
To resolve this, follow these recommended steps: Check the WWW-Authenticate header in the 401 response to identify the required auth scheme. For Bearer auth: verify the token is not expired (decode JWT and check exp claim). Implement token refresh: use the refresh token to obtain a new access token before it expires. Ensure the Authorization header format is correct: 'Bearer <token>' with a space after Bearer. For Basic auth: verify credentials are base64-encoded as 'username:password'. Check if the API requires additional headers like X-API-Key alongside Bearer tokens. If these steps do not resolve the issue, consider consulting additional resources or a qualified professional.
This article is part of our HTTP Status Codes collection on Error Codes Wiki. We provide comprehensive, up-to-date information to help you find solutions quickly.
Quick Answer
What is the difference between 401 and 403?
401 means not authenticated (who are you?). 403 means authenticated but not authorized (you are not allowed). 401 asks for credentials; 403 denies even with valid credentials.
Overview
Guide to HTTP authentication errors including 401 Unauthorized with Basic, Bearer token, Digest, and OAuth authentication schemes and their common failure modes.
Key Details
- HTTP 401 Unauthorized means the request lacks valid authentication credentials
- The WWW-Authenticate header in the 401 response specifies which authentication scheme to use
- Basic auth sends base64-encoded credentials — must use HTTPS to prevent interception
- Bearer tokens (JWT, OAuth) are the most common API authentication method
- Digest auth hashes credentials but is rarely used in modern applications
Common Causes
- Missing or expired authentication token in the Authorization header
- Incorrect authentication scheme (sending Basic when Bearer is required)
- Token expired or revoked but client still using the old token
- API key sent in wrong location (header vs query parameter vs body)
Steps
- 1Check the WWW-Authenticate header in the 401 response to identify the required auth scheme
- 2For Bearer auth: verify the token is not expired (decode JWT and check exp claim)
- 3Implement token refresh: use the refresh token to obtain a new access token before it expires
- 4Ensure the Authorization header format is correct: 'Bearer <token>' with a space after Bearer
- 5For Basic auth: verify credentials are base64-encoded as 'username:password'
- 6Check if the API requires additional headers like X-API-Key alongside Bearer tokens