HTTP status code

The HTTP 401 status code stands for "Unauthorized". It is a client error response, indicating that the request lacks valid authentication credentials for the requested resource.

When is HTTP 401 Used?

• When authentication (e.g., username/password, API key, token) is required but not provided.
• When authentication credentials are incorrect or expired.
• When a protected resource requires a login but the user is not authenticated.

Example Scenarios

• Missing Authentication – A user tries to access a restricted page without logging in.
• Invalid Credentials – A client provides an incorrect API key or password.
• Expired Token – A session token has expired, and the user needs to re-authenticate.

Example

Client Request (Accessing a Protected API Without Authentication)

    
        GET /api/user-profile HTTP/1.1
        Host: example.com
    

Server Response (401 Unauthorized - Missing Authentication)

    
        HTTP/1.1 401 Unauthorized
        WWW-Authenticate: Bearer realm="Access to user profile", error="invalid_token"
        Content-Type: application/json

        { "error": "Authentication required" }
    

Summary

HTTP 401 means the request requires authentication, but the client did not provide valid credentials. It is commonly used in API authentication, login-protected resources, and access control mechanisms.