← All articles

Tutorials

HTTP 401 Unauthorized: What It Means & How to Fix It

Daniel K. · July 15, 2026 · 6 min read


The HTTP 401 Unauthorized status code means the server requires authentication and the request either did not include valid credentials or the credentials it did include were rejected. In plain terms: "I do not know who you are — log in first." This guide explains what triggers a 401, how it differs from the similar 403 and 407 codes, and how to fix it in browsers, APIs, and web scraping.

What Does HTTP 401 Mean?

401 is a client-error response in the 4xx family. When a server returns it, it should also include a WWW-Authenticate header telling the client which authentication scheme to use (for example Bearer, Basic, or Digest). The request can usually be retried successfully once valid credentials are supplied. A 401 is about identity: the server cannot authenticate you at all.

401 vs 403 vs 407

These three get confused constantly, so here is the clean distinction:

CodeMeaningFix
401 UnauthorizedNot authenticated — missing or invalid credentialsProvide valid credentials / log in
403 ForbiddenAuthenticated, but not allowed to access this resourceGet permission / correct role
407 Proxy Authentication RequiredThe proxy, not the target, needs credentialsSend valid proxy username and password

Rule of thumb: 401 is "who are you?", 403 is "I know who you are, and no", and 407 is the same as 401 but coming from a proxy in the middle.

Common Causes of a 401

How to Fix a 401 in the Browser

How to Fix a 401 in an API or App

Most 401s in code come from a missing, wrong, or expired credential. Read the WWW-Authenticate header the server returns to learn which scheme it expects, then send the matching Authorization header. A Bearer-token example in Python:

import requests

# Send a bearer token in the Authorization header
headers = {"Authorization": "Bearer YOUR_API_TOKEN"}
r = requests.get("https://api.example.com/data", headers=headers, timeout=20)

if r.status_code == 401:
    # token missing/expired -> refresh it, then retry
    print("Unauthorized:", r.headers.get("WWW-Authenticate"))
else:
    print(r.json())

For Basic auth, pass credentials directly instead:

r = requests.get("https://api.example.com/data",
                 auth=("USERNAME", "PASSWORD"), timeout=20)

If the token is expired, implement a refresh step and retry once. If it is simply wrong, regenerate the key in the provider's dashboard.

401 in Web Scraping

When scraping, a 401 usually means the target resource is genuinely behind a login or API key — scraping public data will not hit it, but hitting an authenticated endpoint will. Two things to keep straight:

import requests

# Proxy auth lives in the endpoint (a proxy failure would be 407, not 401)
proxy = "http://USERNAME:[email protected]:12321"
proxies = {"http": proxy, "https": proxy}

r = requests.get("https://httpbin.org/ip", proxies=proxies, timeout=20)
print(r.status_code, r.json())

A 401 is never fixed by rotating IPs — it is an identity problem, not a blocking problem. If instead you are seeing bans or 429 rate limits, that is where residential proxies help.

Frequently Asked Questions

What is the difference between 401 and 403?

A 401 Unauthorized means you are not authenticated — the server does not know who you are because credentials are missing or invalid. A 403 Forbidden means you are authenticated but not allowed to access that specific resource. Fix a 401 by logging in with valid credentials; fix a 403 by obtaining the right permissions.

How do I fix a 401 Unauthorized error?

Supply valid credentials. In a browser, log in again and clear stale cookies. In an API, send the correct Authorization header for the scheme the server expects (Bearer token or Basic auth), and refresh the token if it has expired. Check the WWW-Authenticate header to see what the server wants.

Does a 401 mean my proxy is broken?

No. Proxy authentication failures return 407 Proxy Authentication Required, not 401. A 401 comes from the target server and means the resource itself requires authentication you did not provide.

Will rotating proxies fix a 401?

No. A 401 is an authentication problem, not an IP-blocking problem, so changing IPs will not help. Rotating residential proxies address rate limits and bans (429 or 403 from over-requesting), not missing credentials.

Conclusion

A 401 Unauthorized is one of the more straightforward HTTP errors once you know the pattern: the server needs to know who you are, and your request did not prove it. Read the WWW-Authenticate header, send valid credentials in the right scheme, refresh expired tokens, and remember that proxy-side auth failures are 407, not 401.

Need reliable proxies for scraping that avoid the blocks 401 has nothing to do with? Explore SpyderProxy residential proxies from $2.75/GB, ethically sourced across 195+ countries.

Ready to collect data without getting blocked?

Start now ↗