401 vs 407: Unauthorized vs Proxy Authentication Required
401 and 407 can look similar in logs, but they tell clients, crawlers, and API consumers different things.
| Aspect | HTTP 401 — Unauthorized | HTTP 407 — Proxy Authentication Required |
|---|---|---|
| Definition | Despite the name, 401 is specifically about authentication, not authorization. The server requires the client to authenticate. The response includes a WWW-Authenticate header describing the required authentication scheme. | Proxy Authentication Required describes how the server processed the request and what the client should do next. |
| Plain-language summary | Authentication is required and has not been provided, or the provided credentials are invalid. The response includes a WWW-Authenticate header describing the required authentication scheme. Despite the name "Unauthorized," this code is specifically about authentication, not authorization. | HTTP 407 Proxy Authentication Required indicates a client errors response outcome. |
| When to use | Return 401 when the client has not provided credentials or the provided credentials are invalid/expired. Use 403 when the client is authenticated but lacks permission. Include a WWW-Authenticate header specifying the authentication scheme (Bearer, Basic, etc.) so clients know how to authenticate. | HTTP 407 Proxy Authentication Required indicates a client errors response outcome. |
| Client behavior | Browser: prompts for credentials if WWW-Authenticate: Basic, otherwise shows a login page or error. API client: should prompt re-authentication or refresh the token. Automated clients: should attempt token refresh, then surface the error. Re-authenticating is appropriate and expected. | Client handles 407 according to client-errors semantics. |
| Caching behavior | Not cached. Authentication errors are always re-evaluated. | See 407 caching spec. |
| SEO / crawler impact | Search crawlers interpret 401 (client-errors) for indexation and link equity accordingly. | Search crawlers interpret 407 (client-errors) for indexation and link equity accordingly. |
| API / backend impact | API clients branching on 401 expect Unauthorized semantics. | API clients branching on 407 expect Proxy Authentication Required semantics. |
| Safe to retry? | Only after fixing the underlying cause | Only after fixing the underlying cause |
Common real-world scenarios
When you see HTTP 401
In API logs, 401s indicate expired tokens, missing Authorization headers, or invalid API keys. Common patterns: a spike in 401s after a token rotation, systematic 401s indicating a service account credential expired, or per-user 401 spikes from a mobile app that is not handling token refresh correctly.
When you see HTTP 407
407 appears in production when: Malformed request format; Authentication or authorization mismatch.
Decision rule
Use 401 when the response should communicate unauthorized behavior; use 407 when proxy authentication required is the accurate protocol signal.
A frequent mistake is swapping 401 and 407 for convenience; that causes client retry bugs, incorrect cache signals, and misleading monitoring data.
Use 401 when the correct protocol signal is Unauthorized. Use 407 when the correct signal is Proxy Authentication Required. Returning either code for the wrong reason breaks client expectations, cache behavior, and monitoring accuracy.
FAQ
What is the biggest difference between 401 and 407?
401 communicates Unauthorized, while 407 communicates Proxy Authentication Required. Choosing the right one keeps clients and intermediaries predictable.
Do 401 and 407 have SEO or caching impact?
Yes. Search engines and caches interpret status classes differently. Use each code according to its semantics to avoid accidental indexing, stale responses, or crawl inefficiency.
Can APIs safely return 401 instead of 407?
Only when it matches contract semantics. API clients often branch logic by exact code, so swapping them can break retries, auth handling, or user-facing errors.
Full guides
HTTP 401 Unauthorized — full guide · HTTP 407 Proxy Authentication Required — full guide · HTTP 407 status reference · All comparisons · HTTP 401 status reference