401 Unauthorized: HTTP Status Code Meaning, Causes, and Fixes

What 401 Unauthorized means

401 Unauthorized is the misnamed authentication-required code. Despite the name, 401 is about authentication (proving who you are), not authorization (whether you are allowed). The server is saying "I do not know who you are, log in and try again". Servers must include a WWW-Authenticate header on 401 responses to tell clients which auth method to use (Basic, Bearer, etc.).

When servers should return it: Return 401 when no credentials are provided, or the credentials are invalid (wrong password, expired token, malformed signature). For valid credentials but insufficient permissions, return 403 Forbidden instead.

Common causes

Missing Authorization header
Bearer token expired (most common in 2026)
Bearer token revoked or rotated
Wrong API key for the environment (staging key on production)
Basic auth password incorrect
JWT signature does not validate
OAuth token scope does not include the resource

How to fix 401 Unauthorized

Verify the Authorization header is present and correctly formatted
Refresh the token if your auth provider supports refresh tokens
Check token expiry: echo $TOKEN | cut -d. -f2 | base64 -d | jq .exp (for JWTs)
Confirm you are using the right environment (prod vs staging)
Re-issue the token if it was rotated
For Basic auth: curl -u user:pass URL

Example response

curl -i https://api.example.com/me

HTTP/2 401
www-authenticate: Bearer realm="api"
content-type: application/json
{"error":"missing or invalid token"}

Related status codes

Frequently Asked Questions

What is the difference between 401 and 403?

401 means "I do not know who you are". 403 means "I know who you are, but you cannot do this". 401 implies "log in and retry"; 403 means "no amount of retrying will help".

Should an API return 401 or 404 for non-existent resources when not authenticated?

Both are defensible. 401 is technically more correct (you have not authenticated). 404 leaks less information about resource existence. Pick one and apply consistently.

Can a 401 include a body?

Yes. Most JSON APIs do, with a brief error message. The WWW-Authenticate header is mandatory; the body is optional but useful.

More references

For a one-page reference of all HTTP status codes, see the HTTP cheat sheet. For testing API responses, try the API Tester tool. For inspecting responses on the command line, the curl cheat sheet covers the most common flags.