401 vs 403: Authentication vs Authorization

Explains how to tell 'you need to log in' apart from 'you don't have permission.'

Despite its name, 401 Unauthorized actually means 'not authenticated.' It signals that credentials are missing or invalid, and the server uses the WWW-Authenticate header to indicate what kind of authentication is required. It often resolves once you log in or refresh your token.

403 Forbidden means you are authenticated but do not have permission to access the resource. Logging in again yields the same result. You need to check user roles and permissions, resource ownership, IP and firewall (WAF) rules, and OAuth scopes.

In short, 401 means 'I don't know who you are,' while 403 means 'I know who you are, but I can't allow it.' For security, some servers return 404 instead of 403 to hide the very existence of a resource.