0
0
Rest-apiConceptBeginner · 3 min read

What is 401 Status Code: Meaning and Usage in REST APIs

The 401 status code means "Unauthorized" in HTTP responses. It tells the client that they must provide valid authentication credentials to access the requested resource.
⚙️

How It Works

Imagine you want to enter a private club. The club's bouncer asks for your ID before letting you in. In web terms, the 401 Unauthorized status code is like that bouncer telling you, "You need to prove who you are before you can enter."

When a client (like a web browser or app) tries to access a protected resource on a server without proper login details, the server responds with 401. This means the server expects the client to send valid credentials, such as a username and password or a token, to prove their identity.

Unlike a 403 Forbidden status, which means "You are not allowed even if you try," 401 means "You haven't tried or your credentials are missing or wrong." The client can try again with the right credentials.

💻

Example

This example shows a simple REST API endpoint in Python using Flask that requires a token for access. If the token is missing or wrong, it returns a 401 status code.

python
from flask import Flask, request, jsonify

app = Flask(__name__)

VALID_TOKEN = "secret123"

@app.route('/protected')
def protected():
    token = request.headers.get('Authorization')
    if token != f"Bearer {VALID_TOKEN}":
        return jsonify({"error": "Unauthorized"}), 401
    return jsonify({"message": "Welcome to the protected resource!"})

if __name__ == '__main__':
    app.run(debug=True)
Output
* Running on http://127.0.0.1:5000/ (Press CTRL+C to quit) # When called without or wrong token: # HTTP/1.0 401 UNAUTHORIZED # {"error": "Unauthorized"} # When called with correct token: # HTTP/1.0 200 OK # {"message": "Welcome to the protected resource!"}
🎯

When to Use

Use the 401 Unauthorized status code when a client tries to access a resource that requires authentication but has not provided valid credentials. This tells the client to authenticate first.

Common real-world cases include:

  • Accessing user profile data on a website without logging in.
  • Calling an API endpoint that requires an API key or token, but the key is missing or invalid.
  • Trying to use a service after your login session has expired.

It helps keep resources secure by ensuring only authorized users can access sensitive information.

Key Points

  • 401 means authentication is required or failed.
  • It differs from 403, which means access is forbidden even with authentication.
  • Clients should respond by asking users to log in or provide credentials.
  • Commonly used in APIs and websites to protect private data.

Key Takeaways

401 status code means the client must authenticate to access the resource.
It signals missing or invalid credentials, not just forbidden access.
Use 401 to protect resources that require login or tokens.
Clients should prompt users to provide valid authentication when receiving 401.
401 helps keep sensitive data secure by enforcing authentication.

Related by keyword

Safe Method in REST: Meaning and Usage ExplainedFundamentalsWhat is Idempotent in REST: Meaning and ExamplesFundamentalsURI vs URL in REST: Key Differences and Usage ExplainedFundamentalsHow to Handle Sub-Resources in REST APIs CorrectlyURL DesignPath Parameter vs Query Parameter in REST: Key Differences and UsageURL Design

Up next

When to Use PUT vs PATCH in REST APIs: Key Differences and ExamplesWhich HTTP Methods Are Idempotent: Quick GuideBest API Versioning Strategy: Clear and Practical GuideHow to Design REST API URLs: Best Practices and Examples

More in HTTP Status Codes

400 vs 422 Difference: Key REST API Status Code Comparison401 vs 403 Difference: Key REST API Status Codes ExplainedWhat Are HTTP Status Codes: Simple Explanation and ExamplesWhat is 200 Status Code: Meaning and Usage in REST API