HTTP 401 Unauthorized
What a 401 Unauthorized response means, why it happens, and the fastest ways to fix it.
Authentication is required and has failed or wasn't provided. Despite the name, this is about authentication (who you are), not authorization.
- Missing/expired/invalid token or API key.
- Wrong auth scheme (Bearer vs Basic).
- Clock skew invalidating JWT exp/nbf claims.
- Check the Authorization header is actually sent (CORS blocks it cross-origin unless allowed).
- Refresh or re-issue expired tokens.
- Compare the WWW-Authenticate response header with what you send.
Notes
HTTP status codes are defined in RFC 9110 (which replaced RFC 7231). The first digit is the class: 1xx informational, 2xx success, 3xx redirection, 4xx client error, 5xx server error.
Same class: 400 · 403 · 404 · 405 · 408 · 409 · 410 · 412 · 413 · 415 · 418 · 422 · 425 · 429 · 431 · 451
All codes: HTTP status code reference
Frequently asked questions
What does HTTP 401 mean?
HTTP 401 Unauthorized: Authentication is required and has failed or wasn't provided. Despite the name, this is about authentication (who you are), not authorization.
How do I fix a 401 error?
Check the Authorization header is actually sent (CORS blocks it cross-origin unless allowed). Refresh or re-issue expired tokens. Compare the WWW-Authenticate response header with what you send.
Is a 401 my fault or the server's?
401 is a client error — the request itself needs to change, though server misconfiguration can also trigger it.