401 Unauthorized
Misnamed by history: it means unauthenticated. The server does not know who you are — credentials are missing, expired, or invalid — and a WWW-Authenticate header should hint at the expected scheme. Fresh credentials can fix a 401; that is what separates it from 403.
What usually causes it
- Missing or expired token (check exp — the #1 cause)
- Authorization header formatted wrong ('Bearer' prefix missing or doubled)
- Token issued for a different environment/audience (staging token against prod)
- Clock skew making a just-issued token 'not yet valid' (nbf)
How to debug and fix it
- Decode the token and check exp/aud/iss before touching server logs — that explains most 401s in seconds.
- Confirm the header shape exactly: Authorization: Bearer <token> — one space, no quotes.
- Check whether the endpoint expects a different scheme (cookie session vs bearer vs API key header).
- If tokens die faster than their TTL, look for a server rejecting them for kid/rotation reasons.
Easily confused with
Debugging an API? Build and inspect requests, check response headers, or read the full status-code debugging guide.