HTTP 401 Unauthorized — What It Means and How to Fix It

The HTTP 401 Unauthorized status code indicates that the client request has not been applied because it lacks valid authentication credentials for the target resource. This typically means the client tried to access a protected resource without providing any authentication, or with invalid or expired credentials.

Last updated: 2026-06-11

RECOMMENDED

Essential Reading: Designing Data-Intensive Applications

The system design bible for software engineers. Learn to build reliable, scalable, and maintainable systems.

View on Amazon →

                Status Code
                401
            

Name Unauthorized

Common Causes

Missing or incorrect 'Authorization' header in the request.
Expired authentication token (e.g., JWT, session cookie).
Invalid username or password provided.
Attempting to access a resource that requires authentication without logging in.
Server-side misconfiguration of authentication mechanisms.

Code Examples to Handle HTTP 401

curl -I https://httpbin.org/status/401

fetch('https://httpbin.org/status/401')
  .then(response => {
    if (response.status === 401) {
      console.log('Handled Unauthorized');
    }
  });

import requests

response = requests.get('https://httpbin.org/status/401')
if response.status_code == 401:
    print("Received Unauthorized")

How to Fix It

Verify that an 'Authorization' header is present in your request and contains valid credentials (e.g., Bearer token, Basic Auth).
Check the validity and expiration of your authentication token or session. If expired, obtain a new one.
Ensure the username and password (if using Basic Auth) are correct and match the server's expected credentials.
If using a client library or framework, confirm that it's correctly handling authentication and attaching credentials to requests.
On the server-side, review your authentication middleware or logic to ensure it's correctly validating credentials and returning the appropriate 401 response.

💡 Example: A user attempts to access their profile page on an e-commerce website without being logged in. The server responds with a 401 Unauthorized status code, prompting the user to log in or register.

🛠️ Developer Tip: When returning a 401, include a 'WWW-Authenticate' header to inform the client about the authentication scheme required (e.g., 'WWW-Authenticate: Bearer realm="api"'). This helps clients understand how to properly authenticate.

Related Status Codes

Frequently Asked Questions

What causes HTTP 401?

HTTP 401 is caused by a client attempting to access a protected resource without providing valid authentication credentials. This could be due to missing credentials, incorrect username/password, or an expired authentication token.

How do I fix HTTP 401?

To fix a 401, ensure your request includes a valid 'Authorization' header with correct and unexpired credentials. If you're a developer, check your authentication logic on both the client and server sides, and ensure the server is correctly challenging the client with a 'WWW-Authenticate' header.