HTTP 401 Unauthorized vs SIP 401 Unauthorized
HTTP and SIP both use 401 Unauthorized to indicate missing or invalid authentication, reflecting SIP's design heritage from HTTP. Despite sharing the same code and name, the authentication mechanisms differ significantly between web APIs and VoIP systems.
Description
The request requires user authentication. The response includes a WWW-Authenticate header indicating the authentication scheme.
Quand vous le voyez
When accessing a protected resource without credentials or with expired tokens.
Comment résoudre
Include valid authentication credentials (API key, Bearer token, Basic auth) in the Authorization header.
Description
The request requires user authentication. The response includes a WWW-Authenticate header with a challenge for the realm.
Quand vous le voyez
When making a request that requires Digest authentication. Common for REGISTER and INVITE requests to authenticated SIP trunks.
Comment résoudre
Resend the request with proper Authorization header containing valid credentials (Digest authentication).
Différences clés
HTTP 401 typically uses Bearer tokens, API keys, or session cookies; SIP 401 uses Digest authentication with nonces.
SIP 401 includes a WWW-Authenticate header with a realm and nonce for Digest auth; HTTP 401 may use various schemes.
SIP authentication happens during call setup (INVITE); HTTP authentication happens per request.
SIP 401 triggers a re-INVITE with credentials in the Authorization header; HTTP 401 triggers a retry with auth headers.
SIP borrowed the 401 code from HTTP/1.1 — the semantics are the same, but the auth protocols differ.
Quand utiliser lequel
In HTTP, return 401 when a request lacks valid credentials (missing or expired JWT, invalid API key). In SIP, the registrar or proxy returns 401 when a UA (phone/softphone) has not authenticated for REGISTER or INVITE. The SIP client should retry with Digest credentials computed from the nonce in the challenge.