A401Unauthorized is similar to the 403 Forbidden response, except that a 403 is returnedwhena request contains valid credentials, but the client does not have permissions to perform a certain action. Whenaserverreturnsa401, it's saying: "I don't know who you are, or I can't verify your identity."401Unauthorized Headers. A401response must include the WWW-Authenticate header, which tells the client how to authenticate. This header typically contains When to use "401Unauthorized" status code and when to use "403 Forbidden.Most likely, you know you have to returnan HTTP status code. But what is the more appropriate one? Should it be 401Unauthorized or 403 Forbidden? Or maybe something else? The HTTP 401Unauthorizedresponse is how your server asks a client to prove its identity. It’s defined by RFC 7235 and always carries a WWW-Authenticate header so browsers or API clients know exactly what to send next. Common scenarios that trigger a401 include If you get a401Unauthorized error, chances are the token has expired or is invalid. A bad security setup or insecure setting, or server configuration errors may cause you to be returneda401 error response. Access Restricted to Authorized Users. A401Unauthorizedresponse indicates missing or incorrect authentication credentials. Often, servers include a WWW-Authenticate header prompting authentication. You can directly returna401 status code from an action method using the Unauthorized() method provided by ControllerBase.