DevKits
401

Unauthorized

4xx Client Error

Last updated:

Authentication is required and has not been provided, or provided credentials are invalid.

Description

The name is misleading — 401 is about authentication, not authorization. It signals 'I don't know who you are, prove it'. Responses SHOULD include a WWW-Authenticate header describing the required auth scheme.

When to use

Return 401 when no Authorization header is provided, or when the token is missing / expired / malformed.

Common pitfalls

Do not use 401 for 'authenticated but not permitted' — that's 403.

Specification

RFC 9110 §15.5.2

Examples

HTTP response
HTTP/1.1 401 Unauthorized
Content-Type: application/json

{"error":"Unauthorized"}
Node.js (Express)
res.status(401).json({ error: "Unauthorized" });
Go (net/http)
w.WriteHeader(http.StatusUnauthorized)
Python (Flask)
return jsonify({"error": "Unauthorized"}), 401

Related status codes

All 4xx codes