Unauthorized
4xx Client Error
Last updated:
Authentication is required and has not been provided, or provided credentials are invalid.
Description
The name is misleading — 401 is about authentication, not authorization. It signals 'I don't know who you are, prove it'. Responses SHOULD include a WWW-Authenticate header describing the required auth scheme.
When to use
Return 401 when no Authorization header is provided, or when the token is missing / expired / malformed.
Common pitfalls
Do not use 401 for 'authenticated but not permitted' — that's 403.
Specification
RFC 9110 §15.5.2
Examples
HTTP response
HTTP/1.1 401 Unauthorized
Content-Type: application/json
{"error":"Unauthorized"}Node.js (Express)
res.status(401).json({ error: "Unauthorized" });Go (net/http)
w.WriteHeader(http.StatusUnauthorized)
Python (Flask)
return jsonify({"error": "Unauthorized"}), 401Related status codes
All 4xx codes
400 Bad Request401 Unauthorized403 Forbidden404 Not Found405 Method Not Allowed406 Not Acceptable408 Request Timeout409 Conflict410 Gone411 Length Required412 Precondition Failed413 Payload Too Large414 URI Too Long415 Unsupported Media Type418 I'm a teapot422 Unprocessable Entity425 Too Early428 Precondition Required429 Too Many Requests431 Request Header Fields Too Large451 Unavailable For Legal Reasons