The One-Sentence Difference
401 Unauthorized means "I don't know who you are — authenticate." 403 Forbidden means "I know who you are, and you still can't have this." The first is about authentication (identity), the second about authorization (permission).
401 Unauthorized
A 401 says the request lacks valid credentials. The name is a historical misnomer — it really means unauthenticated. A correct 401 must include a WWW-Authenticate header telling the client how to authenticate:
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic realm="Admin Area"
The client is expected to retry with credentials — for example an Authorization: Basic ... header (see the Authorization header explained). If you send credentials and still get 401, the credentials were rejected; re-check them with the practical tips in Basic Auth in curl, Postman, fetch.
403 Forbidden
A 403 says the server understood the request and the client's identity, but refuses to authorize it. Retrying with the same credentials will not help — the account simply lacks permission, or a rule (IP block, plan limit, ownership check) denies it. A 403 does not use WWW-Authenticate, because re-authenticating changes nothing.
How to Decide Which to Return
| Situation | Return |
|---|---|
| No credentials sent | 401 |
| Credentials sent but invalid/expired | 401 |
| Valid identity, but lacks permission | 403 |
| Valid identity, resource hidden for privacy | 404 (sometimes preferred over 403) |
A subtle design choice: some APIs return 404 Not Found instead of 403 for resources a user shouldn't even know exist, to avoid leaking their existence. Look up the exact semantics of any code with the HTTP status codes reference.
Common Mistakes
- Returning
401without aWWW-Authenticateheader — technically non-compliant and confuses clients. - Using
403when you mean401(no credentials) — clients won't know to authenticate. - Returning
200with an error body for an auth failure — breaks clients that rely on status codes.
Frequently Asked Questions
What is the difference between 401 and 403? 401 means the request is not authenticated (no or invalid credentials) and the client should authenticate; 403 means the client is authenticated but not allowed, and retrying won't help.
Does 401 require a WWW-Authenticate header?
Yes. A compliant 401 response includes WWW-Authenticate naming the scheme (e.g. Basic, Bearer) the client should use.
Should I return 403 or 404 for a forbidden resource? Use 403 when it's fine to reveal the resource exists. Use 404 when even acknowledging its existence would leak information.
Look up any response code with the HTTP status codes tool, and see how authentication headers work in The HTTP Authorization Header Explained.