401 Unauthorized
4xx Client Error
RFC 9110
Who are you? Please identify yourself.
What 401 Unauthorized means {#what}
Despite the name, this actually means unauthenticated — the client hasn’t proven who it is. The server requires authentication credentials that are either missing or invalid. The response must include a WWW-Authenticate header explaining how to authenticate.
When you’ll see a 401 {#when}
- Missing or expired JWT / API key
- Wrong username or password
- Token that has been revoked
When to use 401 {#use}
- Use when authentication is required but not provided or failed
- Always include
WWW-Authenticateheader - Distinguish from 403: with 401, credentials might fix the problem; with 403, they won’t