Identity proof failures caused by missing, invalid, or expired credentials.
Last reviewed: March 7, 2026|7 mapped errors
Authentication errors occur before permission checks, when the service cannot establish or trust caller identity for the current request.
Provider-specific error pages mapped to this category (7 total). Showing 1-7.
Azure AADSTS7000215 indicates that the client secret value provided in a token request is invalid for the specified application. This is a specific credential mismatch often caused by using the Secret ID instead of the actual secret value or by rotation drift.
Azure Resource Manager returns `InvalidAuthenticationTokenTenant` when the access token was issued by a tenant that does not match the target subscription tenant.
GCP CANCELLED means the operation was canceled, typically by caller context cancellation or connection/session teardown.
GCP UNAUTHENTICATED means the request does not include valid authentication credentials for the requested Google Cloud API operation.
HTTP 401 Unauthorized means the request lacks valid authentication credentials for the target resource.
HTTP 402 Payment Required is reserved for future use in the standard and is usually provider-specific in practice.
HTTP 407 Proxy Authentication Required means the client must authenticate with a proxy before the request can proceed.
Compare Guide
Fix 401 Unauthorized vs 403 Forbidden by separating authentication failures from authorization denials, then apply the right login or permission fix fast.
Playbook
Use this playbook to separate missing, expired, or invalid identity proof from authorization and transport failures, and apply credential-source-correct fixes safely.
Runtime credential precedence often differs by environment. Production may resolve stale environment credentials, wrong audience tokens, or stripped auth headers.
They should return 401-class semantics because identity validation failed. Use 403 for authenticated identities that are denied by policy.
Validate token claims and credential source first, then rotate or refresh credentials only where claim or key mismatch is confirmed.