401 Unauthorized
Meaning
The request has not been applied because it lacks valid authentication credentials for the target resource.
When to Use
When authentication is required and has either failed or not been provided. The response must include a WWW-Authenticate header field with a challenge for the client.
Example
Accessing a protected endpoint without a valid token returns 401 Unauthorized, prompting the client to provide credentials (WWW-Authenticate header might indicate the required scheme).
When Not to Use
Do not use if the client is authenticated but not allowed to access the resource (use 403 Forbidden in that case).
Source
RFC 9110