511 vs 401: Network Authentication Required vs Unauthorized
511 and 401 can look similar in logs, but they tell clients, crawlers, and API consumers different things.
| Aspect | HTTP 511 — Network Authentication Required | HTTP 401 — Unauthorized |
|---|---|---|
| Definition | Network Authentication Required describes how the server processed the request and what the client should do next. | Despite the name, 401 is specifically about authentication, not authorization. The server requires the client to authenticate. The response includes a WWW-Authenticate header describing the required authentication scheme. |
| Plain-language summary | HTTP 511 Network Authentication Required indicates a server errors response outcome. | Authentication is required and has not been provided, or the provided credentials are invalid. The response includes a WWW-Authenticate header describing the required authentication scheme. Despite the name "Unauthorized," this code is specifically about authentication, not authorization. |
| When to use | HTTP 511 Network Authentication Required indicates a server errors response outcome. | Return 401 when the client has not provided credentials or the provided credentials are invalid/expired. Use 403 when the client is authenticated but lacks permission. Include a WWW-Authenticate header specifying the authentication scheme (Bearer, Basic, etc.) so clients know how to authenticate. |
| Client behavior | Client handles 511 according to server-errors semantics. | Browser: prompts for credentials if WWW-Authenticate: Basic, otherwise shows a login page or error. API client: should prompt re-authentication or refresh the token. Automated clients: should attempt token refresh, then surface the error. Re-authenticating is appropriate and expected. |
| Caching behavior | See 511 caching spec. | Not cached. Authentication errors are always re-evaluated. |
| SEO / crawler impact | Search crawlers interpret 511 (server-errors) for indexation and link equity accordingly. | Search crawlers interpret 401 (client-errors) for indexation and link equity accordingly. |
| API / backend impact | API clients branching on 511 expect Network Authentication Required semantics. | API clients branching on 401 expect Unauthorized semantics. |
| Safe to retry? | Yes, with backoff — server may recover | Only after fixing the underlying cause |
Common real-world scenarios
When you see HTTP 511
511 appears in production when: Unhandled server-side exception; Upstream service failure.
When you see HTTP 401
In API logs, 401s indicate expired tokens, missing Authorization headers, or invalid API keys. Common patterns: a spike in 401s after a token rotation, systematic 401s indicating a service account credential expired, or per-user 401 spikes from a mobile app that is not handling token refresh correctly.
Decision rule
Use 511 when the response should communicate network authentication required behavior; use 401 when unauthorized is the accurate protocol signal.
A frequent mistake is swapping 511 and 401 for convenience; that causes client retry bugs, incorrect cache signals, and misleading monitoring data.
Use 511 when the correct protocol signal is Network Authentication Required. Use 401 when the correct signal is Unauthorized. Returning either code for the wrong reason breaks client expectations, cache behavior, and monitoring accuracy.
FAQ
What is the biggest difference between 511 and 401?
511 communicates Network Authentication Required, while 401 communicates Unauthorized. Choosing the right one keeps clients and intermediaries predictable.
Do 511 and 401 have SEO or caching impact?
Yes. Search engines and caches interpret status classes differently. Use each code according to its semantics to avoid accidental indexing, stale responses, or crawl inefficiency.
Can APIs safely return 511 instead of 401?
Only when it matches contract semantics. API clients often branch logic by exact code, so swapping them can break retries, auth handling, or user-facing errors.
Full guides
HTTP 511 Network Authentication Required — full guide · HTTP 401 Unauthorized — full guide · All comparisons · HTTP 511 status reference · HTTP 401 status reference