HTTP 401 Unauthorized vs gRPC 16 UNAUTHENTICATED
HTTP 401 and gRPC UNAUTHENTICATED both mean the caller has not provided valid credentials. Despite the misleading name 'Unauthorized' in HTTP, both codes are about authentication (identity), not authorization (permissions).
설명
The request requires user authentication. The response includes a WWW-Authenticate header indicating the authentication scheme.
이 코드를 보게 되는 경우
When accessing a protected resource without credentials or with expired tokens.
해결 방법
Include valid authentication credentials (API key, Bearer token, Basic auth) in the Authorization header.
설명
The request does not have valid authentication credentials for the operation.
이 코드를 보게 되는 경우
No credentials were provided, or the provided token/certificate is expired or invalid. Different from PERMISSION_DENIED (code 7), which means authenticated but not authorized.
해결 방법
Provide valid authentication credentials (e.g., refresh the OAuth token, regenerate the API key, or renew the client certificate).
주요 차이점
HTTP 401 must include a WWW-Authenticate header specifying the authentication scheme; gRPC has no such requirement.
gRPC UNAUTHENTICATED is named more accurately — it clearly means 'not authenticated' rather than the confusing HTTP 'Unauthorized'.
HTTP 401 triggers browser-native authentication dialogs (Basic/Digest); gRPC has no browser-native auth flow.
In gRPC, credentials are typically sent via metadata (similar to HTTP headers) using tokens or certificates.
Both indicate the fix is the same: provide valid credentials (token, API key, certificate).
언제 어떤 것을 사용할지
Return HTTP 401 when a request lacks valid credentials — an expired JWT, missing API key, or invalid session cookie. Return gRPC UNAUTHENTICATED for the same reason in RPC calls. When building a gRPC-to-HTTP gateway, map gRPC 16 UNAUTHENTICATED to HTTP 401.