HTTP 401 Unauthorized vs 403 Forbidden
401 and 403 both indicate access problems, but for different reasons. A 401 means the client has not provided valid authentication credentials, while a 403 means the client is authenticated but lacks permission to access the resource. The key distinction is identity vs authorization.
Description
The request requires user authentication. The response includes a WWW-Authenticate header indicating the authentication scheme.
When You See It
When accessing a protected resource without credentials or with expired tokens.
How to Fix
Include valid authentication credentials (API key, Bearer token, Basic auth) in the Authorization header.
Description
The server understood the request but refuses to authorize it. Unlike 401, authentication will not help — the user simply does not have permission.
When You See It
When trying to access a resource you're authenticated for but don't have permission to access.
How to Fix
Check your user role/permissions. Contact the admin to request access.
Key Differences
401 means 'who are you?' — the server cannot identify the client because credentials are missing or invalid.
403 means 'I know who you are, but you cannot do this' — the client is authenticated but lacks the required permission.
401 must include a WWW-Authenticate header indicating the authentication scheme the server accepts.
403 should not change if the client re-authenticates — the prohibition is based on authorization policy, not identity.
Retrying with valid credentials can fix a 401; a 403 requires elevated privileges or a different account.
When to Use Which
Return 401 when no credentials are provided, the token is expired, or the API key is invalid. Return 403 when the user is logged in but their role or permissions do not allow the requested action. If you want to hide the existence of a resource from unauthorized users, consider returning 404 instead of 403.