Auth Incident Playbook (401 / UNAUTHENTICATED)

Q: What is the core difference between 401 and 403 during incidents?

Use 401 when authentication credentials are missing or invalid. Use 403 when authentication succeeded but policy denies access.

Q: Why does authentication still fail after token refresh?

A refreshed token can still carry the wrong audience or issuer for the target API. A proxy can still mutate or strip auth headers before verification. The runtime can still resolve credentials from a different source than expected.

Q: Should responders retry 401 or UNAUTHENTICATED automatically?

Retries keep failing when requests reuse invalid credentials or stale auth context. Fresh credentials, corrected audience-issuer alignment, and corrected credential source must change first. Blind retries only repeat the same identity-proof failure.

Q: How do clock skew and JWKS cache staleness cause persistent auth failures?

Clock drift causes `exp` and `nbf` checks to fail because token validity windows no longer align with verifier time. Stale JWKS cache causes signature verification failures after key rotation because the verifier still uses old keys for `kid` lookup. Check clock sync and NTP health first on failing nodes, then check JWKS cache refresh timing and key-rotation telemetry. These two faults together can keep failures active even after token refresh.

Use this playbook to separate missing, expired, or invalid identity proof from authorization and transport failures, and apply credential-source-correct fixes safely.

Last reviewed: February 23, 2026|Editorial standard: source-backed operational guidance

Quick Triage

-Classify semantics first: treat HTTP 401 and gRPC UNAUTHENTICATED as failed identity proof, and treat 403/PERMISSION_DENIED as post-auth authorization denial.
-Capture one failing request with `request_id`, method, path, `WWW-Authenticate`, auth scheme, token claims (`iss`, `aud`, `exp`, `nbf`), and runtime credential source before changing policies.
-Determine whether the incident is missing credentials, expired or invalid credentials, or credential-source mismatch.

Execution Steps

1Reproduce one authentication failure and preserve request ID, raw request headers, response challenge, and runtime credential source.
2Validate auth transport by confirming clients send authorization metadata unchanged through CDN, gateway, and service mesh hops.
3Trace AWS default credential provider chain resolution on the failing runtime.
4Trace Azure credential chain and GCP Application Default Credentials or service-account source on the failing runtime.
5Validate bearer token integrity by checking signature key (`kid`), `iss`, `aud`, `exp`, and `nbf` against the target API.
6Compare clock sync, key-rotation state, and environment config between healthy and failing nodes.
7Apply minimal credential or issuer-audience fixes for the exact caller-service tuple, retest, and remove temporary broad overrides.

Diagnosis Dimensions

-Protocol semantics: 401 and UNAUTHENTICATED indicate failed identity proof, while 403 and PERMISSION_DENIED indicate authorization denial after successful authentication.
-Layer ownership: edge challenge behavior, transport header integrity, and token verification logic each define a separate auth failure boundary.
-Scope correctness: token tenant, account, project, audience, region, and endpoint namespace alignment determines whether identity proof matches the called resource.
-Safety checks: least-privilege remediation, single-path credential changes, and controlled rollout checks prevent broad auth regressions.

Verify Recovery

-Replay the original failing flow and confirm success only for the intended principal, token scope, and endpoint.
-Verify invalid or expired credentials still return 401 or UNAUTHENTICATED, proving controls were not over-broadened.
-Observe auth-failure rate by `reason`, `issuer`, `audience`, and `credential_source` for at least one sustained traffic window after rollout.

What To Avoid

-Avoid granting broad admin roles before proving the authentication root cause.
-Avoid rotating all secrets before extracting `WWW-Authenticate` and token-claim evidence.
-Avoid fixing policy layers when proxies strip or rewrite auth headers in transit.
-Avoid leaving wildcard issuer-audience exceptions or long-lived debug tokens in production.

Pro Tip

-Log normalized auth telemetry fields: `reason`, `challenge`, `issuer`, `audience`, `credential_source`, `clock_skew_ms`, and `request_id`.
-Enforce a fixed triage order: challenge semantics, transport integrity, token claims, credential-source chain, then policy checks.

Frequently Asked Questions

What is the core difference between 401 and 403 during incidents?

Use 401 when authentication credentials are missing or invalid. Use 403 when authentication succeeded but policy denies access.

Why does authentication still fail after token refresh?

A refreshed token can still carry the wrong audience or issuer for the target API. A proxy can still mutate or strip auth headers before verification. The runtime can still resolve credentials from a different source than expected.

Should responders retry 401 or UNAUTHENTICATED automatically?

Retries keep failing when requests reuse invalid credentials or stale auth context. Fresh credentials, corrected audience-issuer alignment, and corrected credential source must change first. Blind retries only repeat the same identity-proof failure.

How do clock skew and JWKS cache staleness cause persistent auth failures?

Clock drift causes `exp` and `nbf` checks to fail because token validity windows no longer align with verifier time. Stale JWKS cache causes signature verification failures after key rotation because the verifier still uses old keys for `kid` lookup. Check clock sync and NTP health first on failing nodes, then check JWKS cache refresh timing and key-rotation telemetry. These two faults together can keep failures active even after token refresh.

Official References

Related Error Pages

HTTP 401 HTTP 403 AWS InvalidAccessKeyId AWS InvalidClientTokenId AWS ExpiredToken AWS SignatureDoesNotMatch AZURE InvalidAuthenticationTokenTenant GCP UNAUTHENTICATED

Quick Triage

-Classify semantics first: treat HTTP 401 and gRPC UNAUTHENTICATED as failed identity proof, and treat 403/PERMISSION_DENIED as post-auth authorization denial.

-Capture one failing request with `request_id`, method, path, `WWW-Authenticate`, auth scheme, token claims (`iss`, `aud`, `exp`, `nbf`), and runtime credential source before changing policies.

-Determine whether the incident is missing credentials, expired or invalid credentials, or credential-source mismatch.

Execution Steps

1Reproduce one authentication failure and preserve request ID, raw request headers, response challenge, and runtime credential source.

2Validate auth transport by confirming clients send authorization metadata unchanged through CDN, gateway, and service mesh hops.

3Trace AWS default credential provider chain resolution on the failing runtime.

4Trace Azure credential chain and GCP Application Default Credentials or service-account source on the failing runtime.

5Validate bearer token integrity by checking signature key (`kid`), `iss`, `aud`, `exp`, and `nbf` against the target API.

6Compare clock sync, key-rotation state, and environment config between healthy and failing nodes.

7Apply minimal credential or issuer-audience fixes for the exact caller-service tuple, retest, and remove temporary broad overrides.

Diagnosis Dimensions

-Protocol semantics: 401 and UNAUTHENTICATED indicate failed identity proof, while 403 and PERMISSION_DENIED indicate authorization denial after successful authentication.

-Layer ownership: edge challenge behavior, transport header integrity, and token verification logic each define a separate auth failure boundary.

-Scope correctness: token tenant, account, project, audience, region, and endpoint namespace alignment determines whether identity proof matches the called resource.

-Safety checks: least-privilege remediation, single-path credential changes, and controlled rollout checks prevent broad auth regressions.

Verify Recovery

-Replay the original failing flow and confirm success only for the intended principal, token scope, and endpoint.

-Verify invalid or expired credentials still return 401 or UNAUTHENTICATED, proving controls were not over-broadened.

-Observe auth-failure rate by `reason`, `issuer`, `audience`, and `credential_source` for at least one sustained traffic window after rollout.

What To Avoid

-Avoid granting broad admin roles before proving the authentication root cause.

-Avoid rotating all secrets before extracting `WWW-Authenticate` and token-claim evidence.

-Avoid fixing policy layers when proxies strip or rewrite auth headers in transit.

-Avoid leaving wildcard issuer-audience exceptions or long-lived debug tokens in production.

Frequently Asked Questions

What is the core difference between 401 and 403 during incidents?

Use 401 when authentication credentials are missing or invalid. Use 403 when authentication succeeded but policy denies access.