401 Unauthorized

Misnamed by history: it means unauthenticated. The server does not know who you are — credentials are missing, expired, or invalid — and a WWW-Authenticate header should hint at the expected scheme. Fresh credentials can fix a 401; that is what separates it from 403.

What usually causes it

  • Missing or expired token (check exp — the #1 cause)
  • Authorization header formatted wrong ('Bearer' prefix missing or doubled)
  • Token issued for a different environment/audience (staging token against prod)
  • Clock skew making a just-issued token 'not yet valid' (nbf)

How to debug and fix it

  1. Decode the token and check exp/aud/iss before touching server logs — that explains most 401s in seconds.
  2. Confirm the header shape exactly: Authorization: Bearer <token> — one space, no quotes.
  3. Check whether the endpoint expects a different scheme (cookie session vs bearer vs API key header).
  4. If tokens die faster than their TTL, look for a server rejecting them for kid/rotation reasons.

Easily confused with