401 Unauthorized

Fault: Client

TL;DR

Request requires user authentication credentials.

Authentication is required and has failed or has not been provided.

What HTTP 401 Unauthorized Means

Authentication is required and has failed or has not been provided.

Request requires user authentication credentials.

Common Causes

Missing Authorization header
Invalid credentials
Expired token
Incorrect username/password

How to Fix It (For Visitors)

Log in to the website
Check your credentials
Clear cookies and log in again

How to Fix It (For Developers/Admins)

Include valid Authorization header
Refresh expired tokens
Implement OAuth flow correctly
Check API key validity

Returning a 401 Unauthorized (Code Examples)

If you build APIs or web apps, here is how to send an HTTP 401 response and how to test for it:

Node.js (Express)

app.get('/resource', (req, res) => {
  res.status(401).json({ error: 'Unauthorized' });
});

Python (Flask)

@app.route('/resource')
def resource():
    return jsonify(error='Unauthorized'), 401

PHP

<?php
http_response_code(401);
header('Content-Type: application/json');
echo json_encode(['error' => 'Unauthorized']);

Check the status with curl

curl -I https://example.com/resource
# Look for: HTTP/1.1 401 Unauthorized

Frequently Asked Questions

What does HTTP 401 Unauthorized mean?

Request requires user authentication credentials. In short: Authentication is required and has failed or has not been provided.

Is 401 Unauthorized a client or server error?

401 is a 4xx client-error code, so the request itself needs to change. The server is running normally and is rejecting the request as it was sent by the browser, app, or API client.

How do I fix a 401 Unauthorized error?

Include valid Authorization header. Refresh expired tokens. Implement OAuth flow correctly.

Official Specification

The 401 Unauthorized status code is defined in RFC 7235 Section 3.1.

View the IANA HTTP Status Code Registry →