401 vs 403: Unauthorized vs Forbidden
Both status codes appear frequently in production traffic but communicate different intent.
| Aspect | 401 | 403 |
|---|---|---|
| Meaning | Unauthorized describes how the server processed the request and what the client should do next. | Forbidden describes how the server processed the request and what the client should do next. |
| Typical use case | HTTP 401 Unauthorized indicates a client errors response outcome. | HTTP 403 Forbidden indicates a client errors response outcome. |
| Operational note | Monitor cache/client behavior when returning 401. | Monitor cache/client behavior when returning 403. |
When to use one vs the other
Choose the code that most accurately reflects semantics and expected client behavior.
FAQ
Can I swap these codes?
No. Returning the wrong code can break clients, SEO expectations, or caching behavior.