401 Unauthorized
- Status code 401 indicates authentication failure, indicating that the request has not been authenticated or the authentication failed.
- Usually returned by web servers, not web applications.
- Scenarios: token invalidation, token missing, token forgery, resulting in the server being unable to identify the identity.
403 Forbidden
- Status code 403 indicates an authorization failure, usually indicating that the user has passed the authentication, but lacks permission to access or operate a given resource.
- Typically returned by web applications.
- Scenario: The user logs in successfully, but does not have the right to perform read and write operations.
Summarize
The main difference between 401 and 403 is that
- The focus is different: 401 focuses on authentication , 403 focuses on authorization
- The return object is different: 401 is usually returned by the web server, and 403 is returned by the web application
- The scenarios are different: 401 means that the user has not passed identity authorization and verification, and 403 means that the user may have passed the identity verification, but lacks the specified permissions