401 vs 403: Which One Should I Return?
Embed This Widget
Add the script tag and a data attribute to embed this widget.
Embed via iframe for maximum compatibility.
<iframe src="https://statuscodefyi.com/iframe/entity//" width="420" height="400" frameborder="0" style="border:0;border-radius:10px;max-width:100%" loading="lazy"></iframe>Paste this URL in WordPress, Medium, or any oEmbed-compatible platform.
https://statuscodefyi.com/entity//Add a dynamic SVG badge to your README or docs.
[](https://statuscodefyi.com/entity//)Use the native HTML custom element.
The difference between 401 Unauthorized and 403 Forbidden confuses many developers. This short decision tree clarifies the distinction: 401 means 'tell me who you are', while 403 means 'I know who you are and the answer is no'.
Decision Steps
Did the request include authentication credentials (e.g., Authorization header, session cookie, API key)?
Are the provided credentials valid and recognized by the server?
Does the authenticated user have the required role, scope, or permission to access this resource?
Do you want to hide the existence of this resource from unauthorized users (security by obscurity)?