A page is not loading. Not a "404 page not found," but something else: 401 Unauthorized. The server answers, but no access. This is not a glitch or a broken link. This is a deliberate response: you're missing the right permissions, or rather, the right identifier.
The 401 status code indicates that authentication is required, but it has not been provided or is invalid. Thus, it is not access that is explicitly denied (like a 403), but access that is not yet is allowed. You are simply not logged in.
What exactly does the 401 http status code say?
In technical terms, the server expects a valid Authorization header, but it is not present or is incorrect. In response, it sends:
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic realm="Login required"
That WWW-Authenticate header is part of it. It is an invitation for the client to make itself known. As long as that step is missing, it will remain with a response 401: access denied because you are not logged in.
How do you see such a 401 error message?
In the browser? Usually you get a message along the lines of:
"This page is not working - HTTP 401"
Or you simply see "401 Unauthorized" on a blank screen. Sometimes a bare "Access denied." And for API calls, you usually get a JSON saying "error": "Unauthorized" or "code": 401.
It looks unspectacular, but it tells you exactly what you need to know: you requested something that requires authentication, and it was missing.
Causes of a 401 error
A status code 401 does not arise by accident. In practice, these are the most common causes:
- You are not logged in (yet), or your session has expired
- A token in the header is missing or has expired
- The server expects a specific login method (such as Basic or Bearer auth)
- A security layer or firewall blocks the request
- For APIs: the access token is invalid or not provided
Anything you query behind a secure layer, a user dashboard, an API endpoint, an admin environment, without proper credentials you will get back a 401 http.
How do you resolve error code 401?
In a Web environment, it is often simple: re-logging in usually solves the problem.
With API traffic, it's more nuanced. There you have to check whether your request contains headers with the correct authentication, such as a Bearer token. If this is missing, or if the token has expired, an unrelenting status 401.
Sometimes it's something as simple as a plugin that demands additional authentication, or a redirect that interrupts the session. Working with tools like Postman or Insomnia will help you check step by step that your request is complete.
How can you recognize 401 status yourself?
In your browser use the developer tools, tab Network. There you will see the status code for each request, code 401 is clearly visible, usually along with the corresponding header.
Do you prefer to use curl?
curl -I https://jouwdomein.nl/beveiligd-endpoint
If you then get HTTP/1.1 401 Unauthorized returned, you know enough. The server will not accept your request without further identification.
Tools like Screaming Frog also nicely display error messages such as error code 401 when they run into secure areas of a site.
What makes status code 401 different from 403?
This is often mixed up. Briefly:
- 401 status means: you are not logged in, so you may not enter yet
- 403 means: you are known but do not have permissions to see this
With an http 401, you can usually solve the problem by logging in or providing the correct headers. With a 403 it is more complicated: there you have to get permissions, or request access.
In conclusion
A 401 status code is technically very clear: no access without identification. Whether you are working with an API, an admin environment or a login-only page, the error message points you exactly to the problem, you are missing the proper authentication.
It is a common mistake, but not something to be afraid of. On the contrary. Those who read it carefully know: the server is working as it should. Only you still have to show who you are.
