401 Unauthorized

The HTTP 401 status code means a server requires authentication for the request.

HTTP has multiple authentication schemes, with Basic being the most common one.

GET /supersecret HTTP/2

If the server wants you to authenticate, it will send the WWW-Authenticate header with the desired authentication method:

HTTP/2 401 Unauthorized
WWW-Authenticate: Basic realm="You Shall Not Pass"

Clients can authenticate by sending the Authorization header with credentials and a type of scheme they use:

Authorization: Basic UGuz3XfqNdXC4VTng6VzYW1e

401 vs 403

403 Forbidden is more appropriate when you don’t have access to a particular resource or action, while 401 Unauthorized is for cases when you’re either not authenticated or authenticated incorrectly.

To portray this as a private party analogy:

Perhaps the better name for these status codes would have been 401 Unauthenticated and 403 Unauthorized.