client error RFC 9110
HTTP 401 Unauthorized
Authentication is required and either missing or invalid — the client is not identified.
What it means
The name is misleading — 401 is really 'Unauthenticated'. The server doesn't know who you are because the request has no credentials or the credentials are invalid/expired. The server should send a `WWW-Authenticate` header telling the client what kind of auth it expects (Bearer, Basic, Digest, etc.). Contrast with 403 (Forbidden), which means "I know who you are but you can't do this."
When servers send it
- •Request has no Authorization header on a protected endpoint
- •Bearer token has expired
- •Session cookie is missing or invalid
- •API key is not recognized
- •Basic auth credentials are wrong
What the client does
Redirects the user to login, refreshes the token, or prompts for new credentials. Should NOT retry with the same credentials.
Common causes
- •JWT expired (check the `exp` claim with our JWT decoder)
- •Cookie SameSite policy blocked the auth cookie on a cross-site request
- •API key was rotated but you're still using the old one
- •Bearer token missing `Bearer ` prefix (case matters)
How to fix it
- 1.Check that Authorization header is being sent (some libraries strip it on redirect)
- 2.Verify token isn't expired — decode the JWT and check `exp`
- 3.For cookie auth, confirm SameSite/Secure/HttpOnly flags match your setup
- 4.For CORS + cookies, ensure `credentials: "include"` on the fetch and `Access-Control-Allow-Credentials: true` on the server
- 5.Check for whitespace or newlines in the token (accidental \n from environment variables is common)
Similar codes
403 Forbidden client error
Server understood who you are but refuses to authorize the request — permission denied.
400 Bad Request client error
Server cannot process the request due to a client-side error — malformed syntax, invalid JSON, missing required fields.
404 Not Found client error
The requested URL does not exist on this server.
405 Method Not Allowed client error
The URL exists but doesn't support the HTTP method the client used.
408 Request Timeout client error
Client took too long to send the request — server gave up waiting.
← All HTTP status codes · HTTP status cheat sheet · HTTP headers reference