401 Unauthorized
Example HTTP Response
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer- Missing authentication token
- Expired login session
- Invalid credentials
What does this mean?
Who are you?! The bouncer needs to see some ID before letting you in. Time to log in!
Technical Definition
The client must authenticate itself to get the requested response.
RFC Says
"The 401 (Unauthorized) status code indicates that the request has not been applied because it lacks valid authentication credentials for the target resource."
Plain English:
You need to prove who you are before accessing this resource. Either you didn't provide credentials at all, or the ones you provided are invalid or expired.
Common Misinterpretation
Despite the name 'Unauthorized', this code is actually about authentication (proving identity), not authorization (having permission). Many developers confuse 401 with 403 - use 401 when the user hasn't logged in or their token is invalid, and 403 when they ARE logged in but don't have permission.
"The server generating a 401 response MUST send a WWW-Authenticate header field containing at least one challenge applicable to the target resource."
Plain English:
When you return a 401, you must include a WWW-Authenticate header that tells the client how to authenticate (e.g., 'Bearer' for token auth, 'Basic' for username/password).
Ready-to-use code for returning this HTTP status in your application:
// Express.js
app.get('/example', (req, res) => {
res.status(401).json({
error: 'Unauthorized',
message: 'Your error message here'
});
});
// Native HTTP
const http = require('http');
http.createServer((req, res) => {
res.writeHead(401, { 'Content-Type': 'application/json' });
res.end(JSON.stringify({
error: 'Unauthorized',
message: 'Your error message here'
}));
}).listen(3000);- No authentication credentials provided
- Authentication token is invalid or expired
- User needs to log in to access the resource
- Use 403 when user IS authenticated but lacks permission
Indexing
Pages requiring authentication are not indexed. Google cannot log in, so it sees 401 and skips the content.
Crawler Behavior
Crawlers won't index protected content. They may periodically re-check in case authentication requirements change.
Canonical URL Notes
If you want authenticated content indexed, consider showing a public preview or summary that doesn't require login.
Google Notes
Don't put important SEO content behind authentication. Google can't crawl what it can't access without credentials.
401 Unauthorized FAQ
What causes a 401 Unauthorized error?
Missing authentication token. Expired login session. Invalid credentials.
When should I use 401 Unauthorized?
No authentication credentials provided. Authentication token is invalid or expired. User needs to log in to access the resource. Use 403 when user IS authenticated but lacks permission.