What Does HTTP Status 401 Mean? (Unauthorized)
What HTTP 401 (Unauthorized) Means In Plain English
A 401 status (Unauthorized) means authentication is required or the provided auth credentials are invalid.
If you want the broader context across all status code families, use the full HTTP Status Codes Guide (2xx, 3xx, 4xx, 5xx).
Quick Navigation
- What HTTP 401 (Unauthorized) Means In Plain English
- How to Read HTTP 401 in WebsiteDown Results
- Most Common Root Causes
- What to Do Next
- What to Avoid During Triage
- Real-World Examples
- HTTP 401 FAQ
How to Read HTTP 401 in WebsiteDown Results
In down checks, 401 usually means the service is reachable. The issue is often with auth tokens, session handling, or identity provider dependencies.
If you see this code only in one region, compare with official provider status and retest from another network. Mixed regional results often indicate routing, policy, or edge differences rather than full global outages.
For deeper triage, compare this with the HTTP 403 guide, HTTP 302 guide, and the SaaS login outage guide.
Most Common Root Causes
- Expired or invalid bearer tokens.
- Broken session cookies after auth-domain changes.
- Clock drift causing token validation failures.
- Identity provider outages or callback misconfiguration.
What to Do Next
- Verify token lifetime, issuer, audience, and signature configuration.
- Test with a fresh authentication flow from a clean session.
- Check IdP status and callback URL consistency.
- Correlate 401 spikes with deployments in auth middleware.
What to Avoid During Triage
- Do not treat 401 as generic “site down”.
- Do not ask users to repeatedly re-login before root cause checks.
Real-World Examples
- Example: mobile app keeps old token format after backend auth change.
- Example: SSO callback domain mismatch returns broad 401 errors.