HTTP 401 Unauthorized


The HTTP 401 Unauthorized status code indicates that the request has not been applied because it lacks valid authentication credentials for the target resource.


The HTTP 401 response is used to signify that the client request has failed authentication. It is typically accompanied by a WWW-Authenticate header that contains information on how to authorize correctly.


Client Behavior:

  1. Send Request: The client sends an HTTP request to a protected resource without authentication or with invalid credentials.
  2. Receive Response: The client receives the HTTP 401 status code, indicating that authentication is required or has failed.

Server Behavior:

  1. Authenticate Request: The server attempts to authenticate the client’s request.
  2. Send Response: If authentication fails, the server sends a 401 Unauthorized response, often with a WWW-Authenticate header specifying how to authenticate.


  • Protected Resources: Accessing resources that require user authentication, such as private API endpoints or restricted web pages.
  • Authentication Failure: When the client provides incorrect or no authentication credentials.

Sequence Diagram

Illustrating the process for an HTTP 401 response:

    participant Client
    participant Server as Web Server

    Note over Client: Client attempts to access a protected resource
    Client->>Server: GET /protected-resource HTTP/1.1
    Note over Server: Server requires authentication
    Server->>Client: HTTP/1.1 401 Unauthorized
    Server->>Client: WWW-Authenticate: Basic realm="Access to protected resource"

Curl Request and Response Example

Sending a request using Curl to a protected resource that requires authentication:

curl -i
# Expected response: HTTP/1.1 401 Unauthorized
# WWW-Authenticate: Basic realm="Access to protected resource"

PHP cURL Request and Response Example

PHP script using cURL to handle a response from a protected resource requiring authentication:

$ch = curl_init('');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
if (curl_getinfo($ch, CURLINFO_HTTP_CODE) == 401) {
    echo "Unauthorized access. Authentication required.";

Python Request and Response Example

Python script to send a GET request to a protected resource resulting in a 401 Unauthorized response:

import requests
response = requests.get('')
if response.status_code == 401:
    print("Unauthorized access. Authentication required.")

Apache Configuration for HTTP 401 Unauthorized

Configuring Apache to secure a resource with basic authentication:

<VirtualHost *:80>
    <Location "/protected-resource">
        AuthType Basic
        AuthName "Access to protected resource"
        AuthUserFile /path/to/.htpasswd
        Require valid-user

NGINX Configuration for HTTP 401 Unauthorized

Setting up NGINX to protect a resource with authentication:

server {
    listen 80;
    location /protected-resource {
        auth_basic "Access to protected resource";
        auth_basic_user_file /path/to/.htpasswd;

HTTP 400 Bad Request HTTP 402 Payment Required


Free Weekly


Join my weekly newsletter for the latest in tech! You'll get neat coding tricks, trend updates, career advice, SaaS reviews, crypto, bitcoin, and financial tips. All straight to your inbox, designed to keep you ahead.