How do I fix a 401 Unauthorized error?

1. Send the Authorization header with valid credentials. 2. Refresh expired tokens (OAuth refresh flow) or regenerate the API key. 3. Verify the token format (e.g. 'Authorization: Bearer TOKEN'). 4. Check the token's audience, issuer, and expiry. 5. Confirm you're using the right environment's credentials. 6. Check server clock skew for JWT validation.

How do I monitor for 401 errors?

UptimeSignal can monitor authenticated endpoints by sending a custom Authorization header with each check, then alerting you if the endpoint returns 401. This catches expired tokens, revoked keys, and auth misconfigurations before your integration silently stops working.

401 Unauthorized: What It Means and How to Fix It

Q: What causes a 401 error?

Common causes: a missing Authorization header, an expired or revoked token or API key, an incorrect username/password, a malformed Bearer token, a token signed for the wrong audience or issuer, clock skew causing JWT expiry checks to fail, or sending credentials to the wrong environment (e.g. a staging key against production).

Q: What is the difference between 401 and 403?

401 Unauthorized means you are not authenticated — the server doesn't know who you are, so providing valid credentials may fix it. 403 Forbidden means you are authenticated but not allowed to access this resource — providing different credentials for the same account won't help. Simply: 401 = who are you, 403 = you can't do that.

What It Means

HTTP 401 Unauthorized means the request lacks valid authentication credentials for the target resource. The server doesn't know who you are, or the credentials you sent are missing, expired, or invalid. Despite the name, 401 is about authentication (proving who you are), not authorization (what you're allowed to do) — that distinction is 403 Forbidden.

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer realm="api", error="invalid_token"

{"error": "invalid_token", "message": "The access token expired"}

Common Causes

Missing Authorization header: No credentials were sent at all
Expired token: An OAuth access token or session has timed out
Revoked API key: The key was rotated, disabled, or deleted
Wrong credentials: Incorrect username, password, or token value
Malformed token: Missing the Bearer prefix or wrong format
Wrong audience/issuer: A JWT signed for a different service or environment
Clock skew: Server time off enough to fail JWT expiry checks

How to Fix It

# Send the Authorization header correctly
curl -H "Authorization: Bearer YOUR_TOKEN" https://api.example.com/data

# Basic auth
curl -u username:password https://api.example.com/data

# Refresh an expired OAuth token
curl -X POST https://auth.example.com/token \
  -d grant_type=refresh_token \
  -d refresh_token=YOUR_REFRESH_TOKEN

Confirm the header is present and formatted as Authorization: Bearer TOKEN
Refresh expired tokens or regenerate the API key
Decode the JWT and check exp, aud, and iss claims
Make sure you're using the credentials for the right environment
Check for server clock skew if JWTs fail validation immediately

401 vs 403

401 Unauthorized: Not authenticated — the server doesn't know who you are. Valid credentials may fix it.
403 Forbidden: Authenticated, but not allowed. Different credentials for the same account won't help.

Shorthand: 401 = who are you? 403 = you can't do that.

How to Monitor for 401 Errors

Expired tokens and revoked keys are a leading cause of integrations silently breaking. UptimeSignal can monitor authenticated endpoints by sending a custom Authorization header with each check and alerting you the moment the endpoint returns 401 — so you renew the token before your sync, webhook, or API consumer stops working. See API monitoring for setup.

Frequently Asked Questions

What does HTTP 401 mean?

401 Unauthorized means the request lacks valid authentication credentials. The server doesn't know who you are, or the credentials you sent are missing, expired, or invalid. It's about authentication, not authorization — the latter is 403 Forbidden.

What causes a 401 error?

A missing Authorization header, an expired or revoked token or API key, wrong credentials, a malformed Bearer token, a JWT with the wrong audience or issuer, clock skew, or sending staging credentials against production.

What is the difference between 401 and 403?

401 means you're not authenticated — the server doesn't know who you are, so valid credentials may fix it. 403 Forbidden means you're authenticated but not allowed to access the resource — different credentials for the same account won't help. 401 = who are you, 403 = you can't do that.

How do I fix a 401 error?

Send valid credentials in the Authorization header, refresh expired tokens or regenerate the key, verify the token format and claims (exp, aud, iss), confirm the right environment, and check for clock skew on JWTs.

Why does my API return 401 even with a token?

The token may be expired, revoked, or signed for a different audience/issuer than the API expects. Check the WWW-Authenticate response header — it often includes an error reason like invalid_token or expired. Also verify the Bearer prefix is present.

401 Unauthorized