401 Unauthorized - What It Means & How to Fix

Q: How do I fix a 401 error in an API?

To fix a 401 error in an API, send valid credentials in the Authorization header. Common formats include 'Bearer ' for JWT/OAuth tokens, 'Basic ' for Basic auth, or 'ApiKey ' for API key authentication. Make sure the token hasn't expired and that the credentials are correct.

ⓘ Quick Definition

The request requires user authentication. The client must authenticate itself to get the requested response. Despite the name "Unauthorized," this status code is actually about authentication, not authorization. It means the server does not know who you are. You need to provide valid credentials (such as a username/password, API key, or token) before the server will process your request.

⏰ When It Occurs

A 401 error occurs when you attempt to access a protected resource without providing valid authentication credentials. This is extremely common in API development, where every request must include a token or API key. It also happens when logging into websites with incorrect credentials, or when a session or token has expired.

The server typically responds with a WWW-Authenticate header indicating the authentication scheme expected (e.g., Basic, Bearer, Digest).

⚠ Common Causes

Missing Authorization header - The request doesn't include any authentication credentials
Expired JWT/session token - The token was valid but has passed its expiration time
Invalid API key - The API key is incorrect, revoked, or belongs to a different environment
Incorrect username/password - The credentials provided do not match any account
Token not included in request - The login was successful but the token isn't being sent with subsequent requests
OAuth token revoked - The user or admin revoked the OAuth access token
CORS blocking credentials - Cross-origin requests not configured to include credentials

Platform-Specific Notes:

Nginx Returns 401 when auth_basic or auth_request modules reject the credentials. Check your auth configuration block.

Apache Triggers 401 with mod_auth_basic or mod_auth_digest when credentials fail validation against .htpasswd.

Cloudflare May return 401 when Access policies require authentication, or when API tokens used with Cloudflare API are invalid.

Node.js Express middleware like Passport.js or custom JWT verification returns 401 when token validation fails.

🛠 How to Fix

Include valid credentials in request - Add an Authorization header with your token, API key, or username/password
Check if token has expired - Decode your JWT to verify the exp claim, or check session expiry time
Verify API key is correct - Confirm you're using the right key for the right environment (dev vs. production)
Ensure Authorization header format is correct - Use the proper scheme: Bearer <token>, Basic <base64>, etc.
Check CORS configuration for credentials - Set credentials: 'include' in fetch and Access-Control-Allow-Credentials: true on server
Refresh expired tokens - Use your refresh token to obtain a new access token from the auth endpoint
Verify authentication endpoint - Make sure the login/auth URL is correct and the service is running

💻 HTTP Example

# Request without authentication
GET /api/user/profile HTTP/1.1
Host: api.example.com
# Missing: Authorization header

# Server Response
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer realm="api"
Content-Type: application/json

{
  "error": "Unauthorized",
  "message": "Authentication token is required",
  "statusCode": 401
}

# Correct request with Bearer token
GET /api/user/profile HTTP/1.1
Host: api.example.com
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...

🔗 Related Status Codes

Frequently Asked Questions

What's the difference between 401 and 403? +

401 Unauthorized means the client is not authenticated - it hasn't proven its identity yet. The server is saying "who are you? Please identify yourself." 403 Forbidden means the client is authenticated (the server knows who you are) but not authorized - you don't have the required permissions to access the resource. Think of 401 as a locked door where you haven't shown your ID, and 403 as showing your ID but being told you're not on the guest list.

How do I fix a 401 error in an API? +

To fix a 401 error in an API, you need to send valid credentials in the Authorization header. The most common formats are: Authorization: Bearer <your-jwt-token> for JWT/OAuth tokens, Authorization: Basic <base64-encoded-credentials> for Basic authentication, or passing an API key via a custom header like X-API-Key: <your-key>. Make sure the token hasn't expired, the API key is active, and you're using the correct authentication scheme that the API expects.

Unauthorized