HTTP
401 vs 403: Which One Should I Return?
The difference between 401 Unauthorized and 403 Forbidden confuses many developers. This short decision tree clarifies the distinction: 401 means 'tell me who you are', while 403 means 'I know who you are and the answer is no'.
Decision Steps
Did the request include authentication credentials (e.g., Authorization header, session cookie, API key)?
Are the provided credentials valid and recognized by the server?
Does the authenticated user have the required role, scope, or permission to access this resource?
Do you want to hide the existence of this resource from unauthorized users (security by obscurity)?
Possible Outcomes
401-unauthorized
No credentials or invalid credentials
403-forbidden
Valid credentials, insufficient permission
404-not-found
Resource exists but hidden for security reasons