401 vs 403

Unauthorized vs Forbidden

🔐401Unauthorized

🚫403Forbidden

Authentication vs Authorization

Understanding the key difference

🔐

401

Unauthorized

Authentication

Who are you?

The server doesn't know your identity. You need to prove who you are by providing valid credentials.

👤User

No credentials or invalid credentials

↓

🔐401 Unauthorized

Common causes:

Missing authentication token
Expired login session
Invalid username/password

🔑

🚫

403

Forbidden

Authorization

What can you do?

The server knows who you are, but you don't have permission to access this resource.

👤Authenticated User

Valid credentials, but insufficient permissions

↓

🚫403 Forbidden

Common causes:

Insufficient user role/permissions
Resource restricted to admins
IP address blocked

⛔

Quick Decision Guide

Use 401 when:

User hasn't logged in yet
Login credentials are missing or invalid
Authentication token is expired
Response should include WWW-Authenticate header

Use 403 when:

User is logged in and identified
User lacks necessary permissions/role
Resource is restricted to specific users
Re-authenticating won't help access the resource

💡

Key Insight

401 is about identity (Who are you?), while 403 is about permissions (What can you do?). If the user could fix the issue by logging in with different credentials, use 401. If even an admin account couldn't access it, use 403.

Real-World Scenarios

When should you use each status code? Here are practical examples to help you decide.

Missing Authentication Token

A user tries to access /api/profile without providing a JWT token or session cookie.

401Unauthorized

Correct response

403Forbidden

Don't use these

Expired JWT Token

A user provides an authentication token that has expired or is invalid.

401Unauthorized

Correct response

403Forbidden

Don't use these

Authenticated User, Wrong Role

A logged-in regular user tries to access /admin/settings. They're authenticated, but they don't have admin privileges.

403Forbidden

Correct response

401Unauthorized

Don't use these

API Key with Insufficient Permissions

A developer uses a valid API key, but it only has read permissions and they're trying to write data.

403Forbidden

Correct response

401Unauthorized

Don't use these

IP Address Blocked

A request comes from an IP address that is explicitly blocked, regardless of authentication.

403Forbidden

Correct response

401Unauthorized

Don't use these

	🔐 401	🚫 403
Name	Unauthorized	Forbidden
Category	4xxClient Error	4xxClient Error
Description	The client must authenticate itself to get the requested response.	The client does not have access rights to the content.
When to Use	No authentication credentials provided Authentication token is invalid or expired User needs to log in to access the resource	User is authenticated but lacks required permissions Resource is restricted regardless of authentication IP address or region is blocked
Common Causes	Missing authentication token Expired login session Invalid credentials	Insufficient permissions IP blocked Resource restricted to certain users