401 Unauthorized is the "please log in" error. The server received your request but can't verify who you are — you sent no credentials, or the ones you sent are invalid or expired. It's a 4xx client code, and the good news is it's usually easy to fix: authenticate correctly.
401 vs 403 — the distinction that trips everyone up
- 401 Unauthorized → "I don't know who you are. Authenticate and try again." (despite the name, it's really about authentication).
- 403 Forbidden → "I know who you are, and you're still not allowed."
Rule of thumb: 401 = who are you? · 403 = I know, and no.
Common causes
| Cause | What's happening |
|---|---|
| No credentials | The request didn't include an Authorization header or session |
| Expired session/token | Your login or JWT timed out |
| Invalid token / API key | Wrong, revoked, or mistyped credential |
| Wrong auth scheme | Sending Basic where the API expects Bearer, etc. |
| Clock skew | A signed token rejected because server/client time differ |
How to fix it — as a user
- Log in — or log out and back in to refresh an expired session.
- Clear cookies for the site if a stale session is stuck.
- Double-check your username/password (and any 2FA step).
How to fix it — as a developer / API consumer
- Check the header format.
Authorization: Bearer <token>— exact scheme, exact spelling. - Verify the token. Not expired, not revoked, signed with the right key.
- Read
WWW-Authenticate. The 401 response should tell you the scheme expected. - Refresh, don't loop. On expiry, use your refresh token once — don't retry the same dead token.
When 401s are a signal, not a bug
A steady trickle of 401s is normal (expired sessions happen). A sudden spike of 401s on a login or token endpoint can mean a credential-stuffing or brute-force attempt in progress — exactly the kind of anomaly worth catching live.
Nurbak Watch tracks auth-error rates per endpoint, so an abnormal burst of 401s pages you immediately — and Nurbak's scanner audits your authentication and authorization the way the API security checklist prescribes.