401 Unauthorized

The HTTP 401 status code means a server requires authentication for the request.

HTTP has multiple authentication schemes, Basic being the most common one.

GET /supersecret HTTP/2

If the server wants you to authenticate, it will send the WWW-Authenticate header with the desired authentication method:

HTTP/2 401 Unauthorized
WWW-Authenticate: Basic realm="You Shall Not Pass"

Clients can authenticate by sending the Authorization header with credentials and a type of scheme they use:

Authorization: Basic UGuz3XfqNdXC4VTng6VzYW1e

401 vs 403

403 Forbidden is more appropriate when you don’t have access to a particular resource or action, while 401 Unauthorized is for cases when you’re either not authenticated or authenticated incorrectly.

To portray this as a private party analogy:

Perhaps the better name for these status codes would have been the 401 Unauthenticated and 403 Unauthorized.

Interested in no-nonsense technical guides?

No spyware, no promotional emails, or keyword-stuffed junk. I will only send you a single email when I've got something interesting to say. Unsubscribe anytime.

You can also subscribe to the Atom feed (it's like RSS, but better).