AI & Machine Learning
Edge Network
Infrastructure as a Service
Platform as a Service
Virtual & Dedicated Servers
Video Streaming Platform
Security
Cloud for Mobile
Custom Services
By Industry
By Service
Referral Program
Bug Bounty Policy
Compliance
Awards and Recognition
Careers
Internet Peering Points
Events
Infrastructure
The 401 error code is one of the most common HTTP status codes. You’re likely to encounter it with an “Unauthorized” message or string, which essentially means you lack some level of authorization to proceed. Knowing about HTTP status codes can help troubleshoot issues regarding web requests and ensure that your users receive appropriate feedback about the status of their requests. It can also ensure that your web applications and services are compatible and can work across a wide range of servers and clients, regardless of their platform or programming language.
This article explains the 401 Unauthorized HTTP error code and how to troubleshoot it if you encounter it.
What Are HTTP Status Codes?
The HTTP status code system was introduced in the early 1990s as part of the HTTP/1.0 specification, and it has been refined and expanded over time as the web has evolved. HTTP status codes are three-digit format codes, with each code associated with a specific meaning in relation to the result of an HTTP request.
The goal was to create a standardized set of codes that all web servers could use to communicate with HTTP clients about the outcome of their requests in a clear, concise, and consistent manner. Prior to the development of HTTP status codes, there was no consistent or reliable way for servers to communicate errors or other types of responses to clients. There are five main classes or categories of HTTP status codes:
- 1xx (Informational): These are informational messages, indicating that the request has been received and the server is continuing to process the request.
- 2xx (Success): These indicate that the request was successfully received, understood, and accepted by the server.
- 3xx (Redirection): These indicate that the client must take some additional action to complete the request, such as following a redirect.
- 4xx (Client Error): These indicate that the request made by the client was incorrect or cannot be fulfilled by the server.
- 5xx (Server Error): These indicate that the server failed to fulfill a valid request due to an error on the server side.
What Is a 401 Unauthorized Error?
To better understand the meaning of the 401 Unauthorized HTTP status code, consider the analogy of trying to enter a private club or event without a valid invitation or ID. If you show up at the door without a valid invitation or ID, the bouncer will deny you entry and tell you that you’re not authorized to enter.
Similarly, when an HTTP client sends a request to a web server for a protected resource without providing valid authentication credentials, the server responds with a 401 Unauthorized status code, indicating that the client is not authorized to access the resource.
Just as the bouncer at the club may provide instructions on what is needed to gain entry, the web server may provide instructions to the client on what kind of authentication credentials are needed and how to provide them. This information is typically provided in the response body or in response headers such as the ‘WWW-Authenticate’ header.
So, just as a bouncer at a club controls access to a private event, the web server uses the 401 status code to control access to protected resources and requires authentication credentials to grant access.
Why Does the 401 Unauthorized Error Occur?
While this error code usually occurs due to missing credentials, it’s important to note that the exact cause of a 401 error can vary depending on the specific situation and context. Additional troubleshooting may be required to identify the actual issue. Below are some other reasons why you could face this error.
Missing or Incorrect Authentication Credentials
As stated earlier, the most common cause of a 401 Unauthorized error is a client not providing valid authentication credentials, such as a username and password, in the request. This can happen if the client forgets to include the credentials or enters them incorrectly. Sometimes the needed credentials may be in the form of basic HTTP authentication or an API key that must be submitted with the request.
Malformed Authenticated Requests
Improperly formatting or structuring an HTTP request can cause a 401 error status. Some servers add other layers of security for authenticated requests or when undertaking authentication. These include requiring credentials to be hashed, encrypted, or formatted in a specific way before submitting.
If this isn’t done correctly or structured according to the needs of the server, you’ll receive a 401 Unauthorized error in response because the server does not recognize the submitted credentials and treats them as invalid.
Expired or Revoked Credentials
Depending on the application or API being accessed, credentials may be revoked, reset, or expire over a set period of time for extra security. You might run into this with financial or banking apps and sites. If your client’s authentication credentials are expired or have been revoked by the server, the server will return a 401 error to indicate that the client is not authorized to access the requested resource.
Incorrect Permissions or Access Control
A 401 error can occur if the authentication credentials provided by the client are not authorized to access the requested resource due to incorrect permissions or access control settings on the server. For example, if you are a content editor and have an edit button to modify content, your account must have the “edit content” permission to execute that action. If your account does not have the necessary permission, you will receive a 401 error when clicking the edit button.
A Misconfigured Server or Application
A 401 error can also be caused by a misconfigured server or application, such as an endpoint or URL that is expected to be public being placed under an authenticated page. Sometimes this happens when broken or outdated plugins are used in the application, especially in some content management systems such as WordPress or Drupal.
In these cases, you would usually find the root cause in the logs. A 401 Unauthorized error will also occur if the client submits a request for a URL that is incorrect or does not exist on the server but matches a protected file system path on the server that is not meant to be accessed directly.
Network or Connectivity Issues
Sometimes, a 401 error can occur due to network or connectivity issues, such as a firewall blocking the request. Firewalls are security systems that prevent unauthorized access to a network or server. 401 errors occur when a firewall blocks a request from a client that is trying to access a protected resource.
DNS Lookup Failure
The Domain Name System (DNS) is a system that translates domain names into IP addresses. If there is a problem with the DNS lookup process, the client may not be able to connect to the server. In other cases, your system might be using a cached DNS record that is outdated, therefore pointing requests to the wrong server. Both of these situations can result in a 401 error.
How Do You Fix the 401 Unauthorized Error?
Once you identify the cause of the error, you can usually take a few steps to easily fix it. The next sections discuss a few ways you can fix this error. The solution may also depend on whether you are an end user of the application, a developer (API consumer), or the application owner.
Provide Missing or Correct Authentication Credentials
Providing missing or correct authentication credentials is usually the first step in resolving a 401 Unauthorized error. You need to find the login or sign-in page of the application or website and ensure you provide valid credentials for successful authentication.
Then, try accessing the resource again, and hopefully it should work. If you’re a developer trying to access or consume a resource via an API, you may need to ensure that you provide a valid API key or token for each request via the respective headers as provided by the server.
The following is an example of a curl HTTP request that requires you to specify your API key with the ‘Authorization’ header:
curl --request POST \
--url https://api.euc1a1.example.com/v1/orgs/self/ws/commons/collections \
-H 'Authorization: ApiKey YOUR_API_KEY_HERE' \
-H 'Content-Type: application/json' \
-d '{
"name": "incoming_requests",
"description": "All incoming delivery requests.",
"sources": [
{
"integration_name": "Redpanda-Ondemand-Delivery",
"kafka": {
"kafka_topic_name": "delivery-requests",
"use_v3": false,
"offset_reset_policy": "LATEST",
"status": {
"state":"ACTIVE"
}
}
}
],
"retention_secs": 259200
}'
Refresh Expired or Revoked Credentials
Ideally, a web application should be able to detect expired or revoked credentials and request that end users reauthenticate. However, sometimes that doesn’t happen because the application lacks such a mechanism or the user’s web client is using cached data.
In these cases, the best way to refresh expired or revoked credentials is to clear your browser’s cookies and cache. This will cause the browser to completely reload the web application and may require the user to reauthenticate or log in to be able to access the requested URL.
Developers interacting with APIs should monitor active sessions, promptly identify expired credentials, and generate or refresh authentication tokens for any sessions that have expired. Automatically redirecting users to login pages is one way to ensure they reauthenticate and continue consuming content seamlessly.
Check for a Malformed Authenticated Request
As mentioned, your credentials may need to be formatted in a specific way and passed through some hashing or encryption algorithms before submitting. Developers need to carefully check the API documentation and other examples available to ensure they are constructing their requests correctly using the right hashing and cryptographic libraries for their framework or programming language.
Obtain the Required Permissions or Access Control Clearance
Whether you’re an end user or a developer, if you’re sure you should be able to access a specific resource or undertake a specific action with your current credentials, you need to contact the application owner or administrator to provide your account with the right access level.
If you are the owner of the application, ensure that your users have the appropriate permissions for their interaction with your site or application.
Cross-Check Server Configuration and Application Plugins
If you’re the application owner or maintainer, you need to check that your web server and file system configurations are correct, especially if you recently made any changes. You can also check your logs to find URLs returning a 401 error and resolve them accordingly. If you are using a content management system like WordPress, you can update WordPress and all installed plugins. You should also disable any incompatible or inactive plugins.
Adjust Firewall or Network Security Rules
You might be accessing a website that is restricted in your current network environment (for example, an office network). If you believe that site or content should be available to you for official purposes, then you can talk to your ISP or network administrator to resolve the problem.
You can also use a VPN or proxy connection to visit those websites to see if that resolves the issue. If you’re the site owner, you can check your server’s network firewall to see if it’s accidentally blocking legitimate traffic to your application or specific resources.
Further Troubleshoot Your 401 Unauthorized Error
Hopefully, one of the above solutions fixes your 401 Unauthorized error. However, this is not an exhaustive list, so you may need to search online using specific terms that provide the context of your error. You could use keywords such as the name of your web framework, library, plugin, programming language, or even the web server software, such as Nginx or Apache.
401 Unauthorized errors are common, so it’s likely that others have already faced similar variations and found an appropriate solution.
Conclusion
The 401 Unauthorized HTTP status code error is a frequent occurrence for anyone who browses the internet or uses web applications. However, most users are unaware of its meaning or how to resolve it. This article explained HTTP status codes and their functionality, including the specific 401 code and its significance.
This article covered some of the most common causes of this error and a few solutions depending on your level of access to a system. The causes covered here include missing or invalid authentication credentials, expired or revoked credentials, server misconfiguration, network connectivity issues involving firewalls, and a bad DNS cache.
However, as mentioned, it’s important to note that this list is not exhaustive, and if none of the presented solutions work, you may have to do some research depending on your specific circumstances. Luckily, this error is so common that someone out there has probably already found your solution.
Written by Rexford A. Nyarko