401 Unauthorized vs 403 Forbidden: Auth vs Access Denied

Q: Should an expired token return 401 or 403?

Return 401. In bearer-token flows, include challenge error metadata (for example `invalid_token`) so clients can refresh or re-authenticate deterministically.

Q: When is `WWW-Authenticate` required on 401 responses?

When HTTP authentication semantics are used, 401 should include a challenge describing expected auth scheme and recovery path.

Q: Can missing credentials be returned as 403?

Generally no. Missing or invalid credentials belong to 401, while 403 is for authenticated identities that still do not have required permission.

Fix 401 Unauthorized vs 403 Forbidden by separating authentication failures from authorization denials, then apply the right login or permission fix fast.

Last reviewed: February 20, 2026|Editorial standard: source-backed comparison guidance

Quick Decision

-Return 401 when authentication credentials are missing or not accepted for the target resource.
-Return 403 when identity is known but the requested action is not authorized by effective policy.
-If HTTP authentication semantics apply, 401 responses should carry a `WWW-Authenticate` challenge for client recovery.

Key Differences

-401 means authentication failed; 403 means authorization failed after authentication context is established.
-401 drives credential refresh/re-authentication flow; 403 drives permission, scope, role, or policy remediation.
-401 is challenge-oriented (`WWW-Authenticate`) in HTTP auth contexts; 403 is denial-oriented and does not imply re-authentication will help.
-Mislabeling invalid credentials as 403 often breaks automated token refresh and incident classification.

When To Use 401 Unauthorized

-Request omits required auth material (for example no `Authorization` header where required).
-Credential validation fails (expired token, invalid signature, issuer/audience mismatch, malformed bearer token).
-Endpoint expects challenge-response auth behavior and caller has not satisfied it.

When To Use 403 Forbidden

-Caller identity is valid, but effective permissions do not allow the attempted operation.
-Resource policy, IAM role/scope, ABAC rule, or deny policy blocks action at the target scope.
-Business/legal control intentionally denies operation for this authenticated principal.

Step-by-Step Diagnosis

1Determine boundary first: did authentication validation fail, or did policy evaluation deny after auth succeeded?
2Capture response status plus auth headers and verify `WWW-Authenticate` challenge content where applicable.
3Inspect token claims and credential source (`iss`, `aud`, `exp`, `nbf`) before changing authorization policy.
4If auth succeeds, trace effective permission chain for the exact principal/action/resource tuple.

Common Misclassifications

-Returning 403 for expired or invalid tokens, which hides needed credential recovery.
-Returning 401 for valid principals that simply lack permission, causing unnecessary login loops.
-Returning bare 401 without meaningful challenge metadata, forcing clients to guess auth scheme and remediation.

Response Examples

401 when bearer token is invalid or expiredhttp

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer realm="api", error="invalid_token", error_description="The access token expired"

{
  "error": "invalid_token",
  "message": "Access token is expired or malformed."
}

403 when identity is valid but scope is insufficienthttp

HTTP/1.1 403 Forbidden
WWW-Authenticate: Bearer realm="api", error="insufficient_scope", scope="orders:write"

{
  "error": "insufficient_scope",
  "required_scope": "orders:write"
}

Pro Tip

-Track 401 and 403 as separate incident classes with distinct runbooks; this prevents policy teams from debugging token failures and identity teams from chasing permission drift.

Frequently Asked Questions

Should an expired token return 401 or 403?

Return 401. In bearer-token flows, include challenge error metadata (for example `invalid_token`) so clients can refresh or re-authenticate deterministically.

When is `WWW-Authenticate` required on 401 responses?

When HTTP authentication semantics are used, 401 should include a challenge describing expected auth scheme and recovery path.

Can missing credentials be returned as 403?

Generally no. Missing or invalid credentials belong to 401, while 403 is for authenticated identities that still do not have required permission.

401 Unauthorized

Open detail page

403 Forbidden

Open detail page

Official References

403 Forbidden vs 404 Not Found: When to Hide Resources

Use 403 for explicit access denial, or 404 to conceal resource existence when security policy requires reducing endpoint and object enumeration risk.

404 Not Found vs 410 Gone: Missing vs Permanent Removal

Learn when to return 404 (missing or temporary absence) versus 410 (intentional permanent removal), including redirect and cache implications.

Quick Decision

-Return 401 when authentication credentials are missing or not accepted for the target resource.

-Return 403 when identity is known but the requested action is not authorized by effective policy.

-If HTTP authentication semantics apply, 401 responses should carry a `WWW-Authenticate` challenge for client recovery.

Key Differences

-401 means authentication failed; 403 means authorization failed after authentication context is established.

-401 drives credential refresh/re-authentication flow; 403 drives permission, scope, role, or policy remediation.

-401 is challenge-oriented (`WWW-Authenticate`) in HTTP auth contexts; 403 is denial-oriented and does not imply re-authentication will help.

-Mislabeling invalid credentials as 403 often breaks automated token refresh and incident classification.

Step-by-Step Diagnosis

1Determine boundary first: did authentication validation fail, or did policy evaluation deny after auth succeeded?

2Capture response status plus auth headers and verify `WWW-Authenticate` challenge content where applicable.

3Inspect token claims and credential source (`iss`, `aud`, `exp`, `nbf`) before changing authorization policy.

4If auth succeeds, trace effective permission chain for the exact principal/action/resource tuple.

Response Examples

401 when bearer token is invalid or expiredhttp

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer realm="api", error="invalid_token", error_description="The access token expired"

{
  "error": "invalid_token",
  "message": "Access token is expired or malformed."
}

403 when identity is valid but scope is insufficienthttp

HTTP/1.1 403 Forbidden
WWW-Authenticate: Bearer realm="api", error="insufficient_scope", scope="orders:write"

{
  "error": "insufficient_scope",
  "required_scope": "orders:write"
}

Frequently Asked Questions

Should an expired token return 401 or 403?

Return 401. In bearer-token flows, include challenge error metadata (for example `invalid_token`) so clients can refresh or re-authenticate deterministically.

When is `WWW-Authenticate` required on 401 responses?

When HTTP authentication semantics are used, 401 should include a challenge describing expected auth scheme and recovery path.

Can missing credentials be returned as 403?

Generally no. Missing or invalid credentials belong to 401, while 403 is for authenticated identities that still do not have required permission.

401 Unauthorized vs 403 Forbidden: Auth vs Access Denied

Quick Decision

Key Differences

When To Use 401 Unauthorized

When To Use 403 Forbidden

Step-by-Step Diagnosis

Common Misclassifications

Response Examples

Pro Tip

Frequently Asked Questions

Should an expired token return 401 or 403?

When is `WWW-Authenticate` required on 401 responses?

Can missing credentials be returned as 403?

401 Unauthorized

403 Forbidden

Official References

Related Articles

403 Forbidden vs 404 Not Found: When to Hide Resources

404 Not Found vs 410 Gone: Missing vs Permanent Removal

401 Unauthorized vs 403 Forbidden: Auth vs Access Denied

Quick Decision

Key Differences

When To Use 401 Unauthorized

When To Use 403 Forbidden

Step-by-Step Diagnosis

Common Misclassifications

Response Examples

Pro Tip

Frequently Asked Questions

Should an expired token return 401 or 403?

When is `WWW-Authenticate` required on 401 responses?

Can missing credentials be returned as 403?

401 Unauthorized

403 Forbidden

Official References

Related Articles

403 Forbidden vs 404 Not Found: When to Hide Resources

404 Not Found vs 410 Gone: Missing vs Permanent Removal