HTTP 401 Unauthorized

Client Error

Authentication is required and was missing or invalid. Despite the name, it means "unauthenticated" — the response includes a WWW-Authenticate challenge.

Defined in RFC 9110

Common causes

Missing/expired/invalid token or API key
Wrong Authorization header format (e.g. missing 'Bearer ' prefix)
Session cookie expired or not sent cross-site (SameSite rules)

How to fix it

Re-authenticate and retry with a fresh credential
Check the exact Authorization header format the API expects
For cookies, verify SameSite/secure attributes and CORS credentials mode
Use 403 instead when the user is authenticated but not allowed

403 Forbidden

The server understood the request and refuses to authorize it. Unlike 401, re-authenticating won't help — the identity is known but lacks permission.

407 Proxy Authentication Required

Like 401, but the authentication challenge comes from a proxy between you and the target (Proxy-Authenticate header).

Want to explore status codes interactively? Try the free HTTP Status Code Reference — search, categories and example responses, right in your browser.

Popular Tools

New Tools

Color Tools

Data Processing

Text & Analysis

Generators

Security Tools

Network & API Tools

Development Utilities

Visual Tools

Common causes

How to fix it

Related status codes