The HTTP 401 Unauthorized status code means the server requires authentication and the request either did not include valid credentials or the credentials it did include were rejected. In plain terms: "I do not know who you are — log in first." This guide explains what triggers a 401, how it differs from the similar 403 and 407 codes, and how to fix it in browsers, APIs, and web scraping.
What Does HTTP 401 Mean?
401 is a client-error response in the 4xx family. When a server returns it, it should also include a WWW-Authenticate header telling the client which authentication scheme to use (for example Bearer, Basic, or Digest). The request can usually be retried successfully once valid credentials are supplied. A 401 is about identity: the server cannot authenticate you at all.
401 vs 403 vs 407
These three get confused constantly, so here is the clean distinction:
| Code | Meaning | Fix |
|---|---|---|
| 401 Unauthorized | Not authenticated — missing or invalid credentials | Provide valid credentials / log in |
| 403 Forbidden | Authenticated, but not allowed to access this resource | Get permission / correct role |
| 407 Proxy Authentication Required | The proxy, not the target, needs credentials | Send valid proxy username and password |
Rule of thumb: 401 is "who are you?", 403 is "I know who you are, and no", and 407 is the same as 401 but coming from a proxy in the middle.
Common Causes of a 401
- Missing credentials — the request has no
Authorizationheader at all. - Invalid or mistyped credentials — wrong API key, username, or password.
- Expired token or session — a bearer token or cookie that has timed out.
- Wrong authentication scheme — sending Basic auth where the API expects Bearer, or vice versa.
- Malformed header — a badly encoded Basic auth string or a missing
Bearerprefix. - Clock skew — for signed or time-limited tokens, a badly wrong system clock can invalidate them.
How to Fix a 401 in the Browser
- Make sure you are actually logged in, then reload the page.
- Clear cookies and cached credentials for the site, and sign in again.
- Check the URL — a protected endpoint may need you to authenticate first at a login page.
- If you use a password manager, confirm it filled the correct account.
How to Fix a 401 in an API or App
Most 401s in code come from a missing, wrong, or expired credential. Read the WWW-Authenticate header the server returns to learn which scheme it expects, then send the matching Authorization header. A Bearer-token example in Python:
import requests
# Send a bearer token in the Authorization header
headers = {"Authorization": "Bearer YOUR_API_TOKEN"}
r = requests.get("https://api.example.com/data", headers=headers, timeout=20)
if r.status_code == 401:
# token missing/expired -> refresh it, then retry
print("Unauthorized:", r.headers.get("WWW-Authenticate"))
else:
print(r.json())
For Basic auth, pass credentials directly instead:
r = requests.get("https://api.example.com/data",
auth=("USERNAME", "PASSWORD"), timeout=20)
If the token is expired, implement a refresh step and retry once. If it is simply wrong, regenerate the key in the provider's dashboard.
401 in Web Scraping
When scraping, a 401 usually means the target resource is genuinely behind a login or API key — scraping public data will not hit it, but hitting an authenticated endpoint will. Two things to keep straight:
- If the 401 comes from the target site, you are requesting a protected resource. Only access data you are authorized to access, and supply the correct API credentials for endpoints that legitimately require them.
- If you meant to authenticate to your proxy, a proxy credential problem returns 407, not 401. With SpyderProxy you authenticate by putting your username and password in the endpoint, so proxy auth is handled in one line:
import requests
# Proxy auth lives in the endpoint (a proxy failure would be 407, not 401)
proxy = "http://USERNAME:[email protected]:12321"
proxies = {"http": proxy, "https": proxy}
r = requests.get("https://httpbin.org/ip", proxies=proxies, timeout=20)
print(r.status_code, r.json())
A 401 is never fixed by rotating IPs — it is an identity problem, not a blocking problem. If instead you are seeing bans or 429 rate limits, that is where residential proxies help.
Frequently Asked Questions
What is the difference between 401 and 403?
A 401 Unauthorized means you are not authenticated — the server does not know who you are because credentials are missing or invalid. A 403 Forbidden means you are authenticated but not allowed to access that specific resource. Fix a 401 by logging in with valid credentials; fix a 403 by obtaining the right permissions.
How do I fix a 401 Unauthorized error?
Supply valid credentials. In a browser, log in again and clear stale cookies. In an API, send the correct Authorization header for the scheme the server expects (Bearer token or Basic auth), and refresh the token if it has expired. Check the WWW-Authenticate header to see what the server wants.
Does a 401 mean my proxy is broken?
No. Proxy authentication failures return 407 Proxy Authentication Required, not 401. A 401 comes from the target server and means the resource itself requires authentication you did not provide.
Will rotating proxies fix a 401?
No. A 401 is an authentication problem, not an IP-blocking problem, so changing IPs will not help. Rotating residential proxies address rate limits and bans (429 or 403 from over-requesting), not missing credentials.
Conclusion
A 401 Unauthorized is one of the more straightforward HTTP errors once you know the pattern: the server needs to know who you are, and your request did not prove it. Read the WWW-Authenticate header, send valid credentials in the right scheme, refresh expired tokens, and remember that proxy-side auth failures are 407, not 401.
Need reliable proxies for scraping that avoid the blocks 401 has nothing to do with? Explore SpyderProxy residential proxies from $2.75/GB, ethically sourced across 195+ countries.