The HTTP 401 Unauthorized status code indicates that a request has not been applied because the client lacks valid authentication credentials for the requested resource.
Unlike a 403 Forbidden response, a 401 error means the server expects the client to authenticate before accessing the resource. Once valid credentials are provided, the request may be processed successfully.
A 401 response is typically accompanied by a WWW-Authenticate header which tells the client how authentication should be performed.
This mechanism is commonly used for authentication schemes such as Basic Authentication, Bearer Tokens, OAuth, and other API authentication methods.
HTTP/1.1 401 Unauthorized WWW-Authenticate: Basic realm="Secure Area" Content-Type: text/html
When a client receives this response, it must provide valid credentials before the server will process the request.
Although the two errors are often confused, they represent different stages of the security process.
The HTTP 401 Unauthorized status code signals that a client must authenticate before accessing a protected resource. Understanding how authentication systems work is essential when building secure web applications, APIs, and authentication layers.