client error RFC 9110

HTTP 401 Unauthorized

Authentication is required and either missing or invalid — the client is not identified.

What it means

The name is misleading — 401 is really 'Unauthenticated'. The server doesn't know who you are because the request has no credentials or the credentials are invalid/expired. The server should send a `WWW-Authenticate` header telling the client what kind of auth it expects (Bearer, Basic, Digest, etc.). Contrast with 403 (Forbidden), which means "I know who you are but you can't do this."

When servers send it

  • Request has no Authorization header on a protected endpoint
  • Bearer token has expired
  • Session cookie is missing or invalid
  • API key is not recognized
  • Basic auth credentials are wrong

What the client does

Redirects the user to login, refreshes the token, or prompts for new credentials. Should NOT retry with the same credentials.

Common causes

  • JWT expired (check the `exp` claim with our JWT decoder)
  • Cookie SameSite policy blocked the auth cookie on a cross-site request
  • API key was rotated but you're still using the old one
  • Bearer token missing `Bearer ` prefix (case matters)

How to fix it

  • 1.Check that Authorization header is being sent (some libraries strip it on redirect)
  • 2.Verify token isn't expired — decode the JWT and check `exp`
  • 3.For cookie auth, confirm SameSite/Secure/HttpOnly flags match your setup
  • 4.For CORS + cookies, ensure `credentials: "include"` on the fetch and `Access-Control-Allow-Credentials: true` on the server
  • 5.Check for whitespace or newlines in the token (accidental \n from environment variables is common)

Similar codes

← All HTTP status codes · HTTP status cheat sheet · HTTP headers reference