401 Unauthorized Error: Diagnosis
Understand and resolve authentication problems.
The 401 Unauthorized error means the request requires authentication that the client hasn't provided or that is invalid. It's a normal response for protected resources.
The problem occurs when a public page unexpectedly returns 401, or when your valid credentials are rejected. This guide helps you diagnose these cases.
Main Causes
- Incorrect credentials: Username/password or API token is invalid or expired.
- .htpasswd protection: An .htaccess protects the folder with HTTP Basic authentication.
- Expired token: JWT or OAuth token has expired and needs renewal.
- Missing header: Authorization header isn't sent or is malformed.
Diagnosis
- Check header: Use DevTools to see if Authorization is being sent.
- Test credentials: Validate that credentials are correct in another context.
- Check expiration: For JWT tokens, decode them to see expiration date.
Solutions
- Renew token: Get a new token with refresh token or reauthenticate.
- Fix format: Ensure header is "Authorization: Bearer
" or "Basic ". - Remove .htpasswd: If protection is no longer wanted, remove AuthType directives from .htaccess.
Frequently Asked Questions
Difference between 401 and 403?
401 = "who are you?" (authentication required). 403 = "I know who you are, but no" (authorization denied).
How to monitor a protected API?
MoniTao lets you configure authentication headers (Bearer token, Basic Auth) to monitor protected endpoints.
Token is correct but I still get 401?
Check server clock (JWT checks exp), exact header format, and that token isn't revoked.
Is 401 an error to monitor?
On a public page, yes. On a protected page, it's normal. Configure MoniTao according to your use case.
Useful Links
Ready to Sleep Soundly?
Start free, no credit card required.