HTTP Basics – 401 Unauthorized vs 403 Forbidden – what is the difference?

Have you ever wondered what is the difference between 401 and 403 status codes in HTTP?

In this short text, I’m going to describe what is the main difference between 401 and 403 status codes. I hope it will help you with better API design.

So, let’s begin.

To understand the difference between these two status codes let’s define what authentication and authorization mean.

In my opinion, they’re often confused with each other.

Most of modern web security systems are based on the two-step process of granting authority.

Authentication 🚪🔑

Authentication is the process of verification of the identity of a person or a device.

Common use case: entering a username and password to grant access to the website or web application.

Authorization 🕵️‍♀️

Authorization is the security mechanism that determines the permissions level the user/client has in the system related to the server resources.

In the HTTP `Authorization` is also one of the request headers. It is used for authentication purposes.

401 – Unauthorized – Authentication issue

The 401 (Unauthorized) status code indicates that the request has not been applied because it lacks valid authentication credentials for the target resource

Example:

You’d like to access the content of the resource but you’re not logged in (so not authenticated yet). The server will return you a 401 error. You need to log in to be able to access the resource.

A common use case of the 401 status code is when the user is not authenticated – which means not logged in or has been logged out etc.

403 – Forbidden – Authorization issue

The 403 (Forbidden) status code indicates that the server understood the request but refuses to authorize it.

Example:

You’d like to delete the user, but you’re authenticated as a regular user, not as an admin. The server doesn’t allow regular users to perform such requests, so as the result, the server will send you a 403 error. Re-authentication won’t make any difference.

The common use case of the 403 status code is when the user has no permission to perform the action.

Conclusion

I’m sure you got the difference now. Take a look at the responses you get from the various services to understand them better.

I hope that understanding the difference between 401 and 403 status codes will help you to design and implement better APIs in your applications.

Resources

Leave a Reply

Your email address will not be published.