The internet runs on a complex web of hardware, software, and communication protocols. With so many components, occasional errors and authentication failures are inevitable.
HTTP error messages, such as 401 Unauthorized, help users and administrators understand what went wrong and where to start troubleshooting.
This article will help you find out what causes the 401 error and how to restore access to the affected website.
What Is 401 Error?
The 401 HTTP error occurs when a user or device attempts to access a resource without proper authentication. The server hosting the resource expects valid login credentials, a bearer token, or a session cookie.
If the information is missing, invalid, or expired, the server responds with a 401 Unauthorized status.
Note: Many users confuse the 401 Unauthorized error with 403 Forbidden. Our detailed 403 Forbidden Error guide highlights the main differences.
What Does 401 Error Look Like?
The appearance of the 401 error depends on how the request was made and the server's configuration. For example, when users try to access protected web pages without proper authentication, browsers usually display the following error screens:
Chrome: This page isn't working (HTTP ERROR 401)
Firefox: 401 Unauthorized
Microsoft Edge: This page isn't working right now
Messages are generated based on the HTTP status code sent by web servers like Apache, NGINX, and IIS. Default server-generated messages include:
- 401 Unauthorized
- HTTP 401 โ Unauthorized: Access is denied due to invalid credentials.
- Access Denied: Invalid credentials
- 401 Unauthorized: The request requires user authentication.
- Login failed. Access is denied due to invalid credentials.
Note: Administrators often customize their error pages to include specific branding, instructions, or login links. If the server includes a custom error page, the browser renders that page instead of a generic message.
If an app or service makes an API call and fails to authenticate, the server responds with a structured JavaScript Object Notification (JSON) or plain-text message. Examples include:
- 401 Unauthorized: Invalid API key
- 401 Unauthorized: Token has expired
- 401 Unauthorized: Missing Authorization Header
- 401 Unauthorized: Invalid bearer token
- 401 Unauthorized: Session expired
- 401 Unauthorized: Access token not provided
- 401 Unauthorized: CSRF token invalid/missing
This is an example of a JSON response for an invalid or missing bearer token:
HTTP/1.1 401 Unauthorized
Content-Type: application/json
WWW-Authenticate: Bearer realm="example"{
"error": "Unauthorized",
"message": "Invalid or missing authentication token",
"status": 401
}Note: 401 responses include the WWW-Authenticate header, which specifies the required authentication method. In this example, the header indicates that a bearer token is required.
What Causes 401 Error?
Authentication usually fails because the credentials were not provided, they were incorrect, or they expired. Depending on who has attempted to access the protected resources on the host server, the 401 error may be caused by:
User-facing Issues
- Expired session. The user was logged in, but the page was left idle for too long. As a security measure, the session token expired, and the user no longer has access.
- Incorrect credentials. The user is trying to log in using an incorrect username or password.
- Not logged in. The user attempts to access the protected area, believing they are logged in, but their session has never started or has already ended.
- Expired browser credentials. Browsers cache credentials to streamline the user's login experience. If those credentials become corrupted, blocked, or expired, authentication may fail and trigger the 401 error.
Server and Configuration Issues
- Misconfigured access files. Access is restricted due to incorrectly set rules in the .htaccess, .htpasswd, or NGINX configuration files.
- Windows authentication failed. The server is configured to use Windows-integrated authentication, and the user's domain credentials are missing or incorrect.
- Custom app logic. Some web applications implement their own authentication rules. If the request does not meet these rules, such as missing headers or invalid tokens, the server may respond with a 401 Unauthorized status.
API and Backend Issues
- No Authorization header. The HTTP request is missing the Authorization header or contains an incorrect header format.
- Expired Token. The authentication token (OAuth, JWT) has expired, been blocked, or revoked due to unusual or unauthorized activity.
- Invalid API key. Many public APIs require a valid API key to be passed via an HTTP header or URL parameter. If the key is incorrect, outdated, or missing, the server may respond with a 401 error.
How to Fix 401 Error?
The steps to fix a 401 error depend on whether you are visiting a website or managing it. Refer to the sections below.
Troubleshooting 401 for Website Visitors
If you are attempting to access a website and run into the 401 error, there are a few troubleshooting steps you can take.
Refresh the Page
The first step a website visitor should take when they encounter the 401 error is to refresh the page. The easiest way to refresh a page is to hit the refresh button in the address bar.
If a regular refresh does not work, it may be necessary to bypass the browser cache and force the browser to re-download the resources from the server.
To perform a hard refresh, use the following keyboard shortcuts:
Note: Some systems, especially laptops, have a function assigned to the F5 key. In that keys, you have to hold the Fn key on your keyboard when pressing Ctrl+F5
| Operating System | Browser | Hard Refresh Shortcut |
|---|---|---|
| Windows | Chrome | Ctrl+F5, Shift+F5 |
| Firefox | Ctrl+F5, Ctrl+Shift+R | |
| Edge | Ctrl+F5, Ctrl+Shift+R | |
| Opera | Ctrl+F5 | |
| macOS | Safari | Cmd+Option+R (hard refresh) Cmd+Option+E (clear cache only) |
| Chrome | Cmd+Shift+R | |
| Firefox | Cmd+Shift+R | |
| Linux | Crome | Ctrl+F5, Ctrl+Shift+R |
| Firefox | Ctrl+F5, Ctrl+Shift+R |
Check the URL
If the refresh did not help, double-check the URL in the browser's address bar. A typo or an attempt to access a restricted subdomain or admin area of a website can trigger the 401 status.
Try a Different Browser or Device
To rule out browser-related issues, try using a different browser, such as Chrome, instead of Firefox, to access the same URL.
If the error persists, use an entirely different device, like a smartphone or another computer, to access the same URL. The problem could be specific to the original device.
Clear Cache
Browsers store authentication data in their cache. However, sometimes host servers update authentication requirements. Outdated cached data can interfere with the login or session validation. To fix this issue, you need to clear the browser's cache.
To clear the cache in Chrome:
1. Open the browser and press Ctrl+Shift+Del.
2. Switch to the Basic tab.
3. Click Delete data and reload the website.
To clear the cache in Firefox:
1. While the browser is open, press Ctrl+Shift+Del.
2. Use the When dropdown to set the time range.
3. Click Clear.
Reload the website to confirm the 401 Unauthorized error is resolved.
To clear the cache in Safari, press Cmd+Alt+E and reload the page.
Log In Again
As a security precaution, many websites automatically log out users after inactivity. If you were previously logged in and left the page idle for an extended period, the session may have expired.
Log in again and try to access the page.
Contact the Website Owner
If none of the suggestions worked, the issue may be caused by a misconfiguration on the server hosting the website.
Contact the website owner or support team. Provide the URL you are trying to access and recount the steps you have already tried to streamline the troubleshooting process.
Troubleshooting 401 for Website Owners
To troubleshoot a 401 Unauthorized error, try the steps in the sections below.
Step 1: Replicate the Error
To verify the issue on your system:
1. Ask the user to provide the exact URL where they encountered the error.
2. Open an incognito browser window and visit the URL.
3. If the page loads, advise the user to try the solutions from the Troubleshooting 401 for Website Visitors section, such as refreshing the page, logging in again, or clearing their browser's cache.
4. If you replicate the error, visit the homepage, login page, and other restricted areas to determine if the issue is limited to a specific page or if it's a global configuration problem.
Step 2: Create New Test User
To rule out a user-specific issue:
1. Sign up or register on the website to create a new test account.
2. Attempt to log in using the new credentials.
3. If the new test user can log in, compare database entries, roles, and permissions for the affected user account.
This helps determine if the issue affects all users or is limited to a specific user or user group.
Step 3: Disable CMS Plugins
If the website uses a content management system (CMS) like WordPress, Joomla, or Drupal, a security plugin may be causing the 401 error.
To check for plugin-related issues in WordPress:
1. Access the WordPress admin dashboard.
2. Click Plugins.
3. Look for plugins that manage access control or authentication, like membership plugins.
4. Deactivate the suspected plugin and ask the user to log in and try to access the restricted content.
If the error no longer appears, the plugin may be misconfigured or affected by a recent update. Try updating or reinstalling the plugin first, and contact the plugin's support team if the problem persists.
Step 4: Check Server-Side Password Protection
Web servers enforce user authentication via config files. A missing or misconfigured file in Apache or NGINX can cause 401 Unauthorized errors.
Apache
If the website is hosted on an Apache server:
1. Connect to the server using SSH or via a control panel, like cPanel.
2. Navigate to the directory serving the affected page. For example, the web site's root or a subdirectory.
3. Locate the .htaccess file and use a text editor to open it:
sudo nano /var/www/html/.htaccess4. Look for the following lines:
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
5. To disable basic authentication, comment out each line by adding a hashtag (#) at the beginning:
#AuthType Basic
#AuthName "Restricted Area"
#AuthUserFile /etc/apache2/.htpasswd
#Require valid-user6. Save the changes and exit the file.
7. Restart the Apache service to apply the changes:
sudo systemctl restart apache2NGINX
For servers running NGINX:
1. Access the server configuration file at /etc/nginx/sites-available/your-site.conf:
sudo nano /etc/nginx/sites-available/your-site.conf2. Find the lines that control basic authentication and comment them out:
#auth_basic "Restricted";
#auth_basic_user_file /etc/nginx/.htpasswd;3. Save the changes and exit the file.
4. Use the following command to test the configuration:
sudo nginx -t5. Restart the NGINX service:
sudo systemctl restart nginxStep 5: Check Server Logs
Servers or server hosting providers keep error and login attempt logs. Entries in these logs may hold more information about the cause of the 401 error.
Access the server's command line interface (CLI) and use the less command to open the error log:
For Apache use:
sudo less /var/log/apache2/error.logFor NGINX, enter:
sudo less /var/log/nginx/error.logPress / to activate the search mode within less, and type in relevant keywords such as 401, unauthorized, or missing credentials. Use the arrow keys to navigate between the matches.
Collect and record timestamps, client IP addresses, request paths, and messages that can provide additional context about the cause of the issue.
Step 6: Inspect Token via DevTools
Websites that use token-based authentication return a 401 status if there are issues with the token or the request's Authorization header.
Use the Browser Developer Tools (DevTools) feature to verify that the token is correctly sent and validated:
1. Open the page where the 401 error is reported.
2. Right-click anywhere on the page and select Inspect to open DevTools.
3. Go to the Network tab.
4. Reload the page while DevTools is open.
5. Find the request that returned the 401 Unauthorized status and click on it.
5. Confirm the Authorization header is present and that the token is correctly formatted.
6. Review the server return message in the Response tab. An example response includes the following lines:
{
"error": "Unauthorized",
"message": "Token expired",
"status": 401
}7. The Initiator column shows which script triggered the failed request.
Once you identify the script or component making the unauthorized request, review its authentication logic and request headers to ensure they comply with your serverโs requirements.
Step 7: Contact ISP
Website owners on shared or managed hosting plans usually do not have full access to server configuration files or detailed logs, which are necessary to resolve the 401 error.
To streamline the troubleshooting process, prepare the following information before contacting the support service:
- The URL(s) where the 401 error occurs.
- Timestamps of when the issue was observed.
- An account of what occurred and the steps the user took.
- A summary of the actions you took to troubleshoot the issue and the outcomes.
- Any log excerpts and screenshots you were able to collect.
Submitting a comprehensive initial request enables support staff to pinpoint the issue and provide a fast solution.
How to Prevent 401 Errors?
To reduce the likelihood of invalid requests and the 401 Authentication error:
- Automatically refresh or reauthenticate users before their session tokens expire.
- Use HTTPS to encrypt data in transit. Do not store login credentials or authentication tokens in browser sessionStorage, localStorage, or memory accessible to client-side scripts.
- Let users know why access was denied by displaying specific messages, such as Session expired or Incorrect password.
- Avoid restrictive settings that block legitimate users from accessing public or authenticated resources.
- Track failed login attempts to catch patterns and improve authentication flows.
- If you offer an API solution, provide public documentation with clear authentication guidelines, sample requests, required headers, expected responses, and error code explanations.
Conclusion
This article showed you what causes the 401 Unauthorized error and the practical steps you can take to resolve it.
Web admins regularly encounter HTTP status codes. Read our detailed guides on troubleshooting the 502 Bad Gateway, 503 Service Unavailable, and 523: Origin is unreachable errors.
