If you were to forget the word 'Bearer' before the JWT, you would encounter the 401 error. But if the authorization header is malformed it will return a 401.įor example, you might have a JWT (JSON Web Token) you want to include in the request header, which expects the format Authorization: Bearer eyJhbGci.yJV_adQssw5c. This is rare, and might be something you only really encounter while developing your own authenticated back ends. The latter can be potentially circumvented with a VPN.Ĥ01 errors can occur even if the user enters the correct credentials.
There are some instances where it's not quite as straightforward as that, though.Ĥ03 errors can occur because of restrictions not entirely dependent on the logged in user's credentials.įor example, a server may have locked down particular resources to only allow access from a predefined range of IP addresses, or may utilize geo-blocking. These are the two most common causes for this pair of errors. The most obvious time you'd encounter a 401 error, on the other hand, is when you have not logged in at all, or have provided the incorrect password. For example, a generic user may be attempting to load an 'admin' route. Common CausesĪs mentioned in the previous article, the 403 error can result when a user has logged in but they don't have sufficient privileges to access the requested resource.
Whereas 403 (Forbidden) is most recently defined in RFC 7231 The 403 (Forbidden) status code indicates that the server understood the request but refuses to authorize it.If authentication credentials were provided in the request, the server considers them insufficient to grant access.
The most up to date RFC Standard defining 401 (Unauthorized) is RFC 7235 The 401 (Unauthorized) status code indicates that the request has not been applied because it lacks valid authentication credentials for the target resource.The user agent MAY repeat the request with a new or replaced Authorization header field. So what exactly is the difference between the 401 (Unauthorized) and 403 (Forbidden) status codes? Surely they mean the same thing? Let's take a closer look! RFC Standards We've covered the 403 (Forbidden) HTTP Error code in some detail before, but it also has a near identical sibling.
0 kommentar(er)
