AES Encryption Explained: How It Works and Why It Matters
Jun 23, 2026
4xx Client Error
The 401 (Unauthorized) status code indicates that the request has not been applied because it lacks valid authentication credentials for the target resource. The response must include a WWW-Authenticate header field containing a challenge applicable to the requested resource. Despite the name "Unauthorized", this actually means "unauthenticated" — the client has not provided valid credentials.
When a request to a protected endpoint does not include an Authorization header or the provided token is invalid/expired, return 401 Unauthorized with a WWW-Authenticate header indicating the expected auth scheme (e.g., Bearer). The client can then prompt the user to log in or refresh their token.
// Laravel - 401 for invalid or missing token
if (! $request->bearerToken()) {
return response()->json([
'error' => 'Authentication required',
], 401)
->header('WWW-Authenticate', 'Bearer realm="api"');
}
Mistake: Confusing 401 (unauthenticated) with 403 (unauthorized)
Fix: Use 401 when the client has not provided valid credentials or the credentials are missing. Use 403 when the client is authenticated but does not have permission to access the resource.
Mistake: Omitting the WWW-Authenticate header in 401 responses
Fix: The HTTP spec requires a WWW-Authenticate header in 401 responses. This tells the client what authentication scheme to use (Bearer, Basic, Digest, etc.). Without it, clients may not know how to authenticate.
Mistake: Returning 401 after login form submission
Fix: If the login endpoint itself receives invalid credentials, return 422 Unprocessable Content or a validation error. 401 is for protecting resources, not for login endpoint responses.
Blog
Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
Jun 23, 2026