Identity proof failures caused by missing, invalid, or expired credentials.
Last reviewed: February 13, 2026|5 mapped errors
Authentication errors occur before permission checks, when the service cannot establish or trust caller identity for the current request.
Provider-specific error pages mapped to this category (5 total). Showing 1-5.
Microsoft Entra ID returns `AADSTS7000215` when an app sends an invalid client secret in token requests.
Azure Resource Manager returns `InvalidAuthenticationTokenTenant` when the access token was issued by a tenant that does not match the target subscription tenant.
GCP CANCELLED means the operation was canceled, typically by caller context cancellation or connection/session teardown.
GCP UNAUTHENTICATED means the request does not include valid authentication credentials for the requested Google Cloud API operation.
HTTP 401 Unauthorized means the request lacks valid authentication credentials for the target resource.
Compare Guide
Fix 401 Unauthorized vs 403 Forbidden by separating authentication failures from authorization denials, then apply the right login or permission fix fast.
Playbook
Use this playbook to separate missing, expired, or invalid identity proof from authorization and transport failures, and apply credential-source-correct fixes safely.
Runtime credential precedence often differs by environment. Production may resolve stale environment credentials, wrong audience tokens, or stripped auth headers.
They should return 401-class semantics because identity validation failed. Use 403 for authenticated identities that are denied by policy.
Validate token claims and credential source first, then rotate or refresh credentials only where claim or key mismatch is confirmed.