A distinct HTTP status for not logged in vs. not authorized in a RESTful API

http rest http-status-codes http-status
Steven picture Steven · Aug 20, 2010 · Viewed 16.6k times · Source

So send a few different status headers in my API including 404, 409, 201, 302 and the like. Now I'm running into issues with 401 Unauthorized. I'm currently sending it if a user is not logged in (the entire API is rights managed) or if a user doesn't satisfy the specific access requirements for the particular resource being retrieved/modified.

Now, I also control the frontend client (a jQuery/HTML application), and I'd like to differentiate between the two cases for 401. Is there a distinct status I should be using for not logged in? Is the best way to handle it to send body content alongside the header?

Answer

laz picture laz · Aug 20, 2010

You should use 403 to indicate that the user isn't authorized to access the resource. Using 401 is for indicating that the user needs to supply credentials just as you are currently using it. See the descriptions of 401 and 403 here.

Related questions

REST HTTP status codes for failed validation or invalid duplicate

I am building an application with a REST-based API and have come to the point where I am specifying status codes for each requests. What status code should i send for requests failing validation or where a request is trying …

Read More
HTTP response code for POST when resource already exists

I'm building a server that allows clients to store objects. Those objects are fully constructed at client side, complete with object IDs that are permanent for the whole lifetime of the object. I have defined the API so that clients …

Read More
HTTP status code for "no data available" from an external datasource

Scenario: A POST request is sent to process an order that will result in data retrieval from an external datasource. There are three possible results: The datasource returned data for the request No data was available for the request (this …

Read More