HTTP 401 Error vs HTTP 403 Error – Status Code Response Explanation

We’ve covered the 403 HTTP error code in detail before. So what exactly is the difference between the 401 (Unauthorized) and 403 (Forbidden) status codes? Are they the same thing? Let’s take a closer look!

[[331309]]

RFC Standards

The latest RFC standard for 401 (Unauthorized) is RFC 7235: The 401 (Unauthorized) status code indicates that the request has not been applied because it lacks valid authentication credentials for the target resource... The user agent MAY repeat the request with a new or replacement Authorization header field.

403 (Forbidden) is most recently defined in RFC 7231: The 403 (Forbidden) status code means that the server understood the request but is refusing to authorize it... If authentication credentials were provided in the request, the server considers them insufficient to grant access.

Obvious reasons

As mentioned in the previous article, a 403 error could be a situation where you are logged in, but the user does not have sufficient privileges to access the requested resource. For example, a regular user might be trying to load the "admin" route. On the other hand, a 401 error is most obviously a sign that you are not logged in at all or provided an incorrect password. These are the two most common reasons for this error.

Less obvious reasons

In some cases, it’s not that simple. A 403 error can occur because the restriction is not entirely dependent on the credentials of the logged-in user. For example, the server may have locked down specific resources to allow access only from a predefined range of IP addresses, or it may utilize geo-blocking. A VPN can bypass the latter.

A 401 error can occur even if the user enters the correct credentials. This is rare, but it will return a 401 if the Authorization header is malformed. For example, you might want to include a JWT (JSON Web Token) in the request header with the format Authorization: Bearer

eyJhbGci......yJV_adQssw5c. If you forget the word "Bearer" before the JWT, you'll get a 401 error. I ran into this problem myself when using Postman to test an API I was developing, and forgot the correct syntax for the auth header!