인증 누락 — 45분짜리 헛소리를 막아주는 401

Source: Dev.to

The Issue

There is a special kind of stupidity in APIs that doesn’t look dangerous — just mildly annoying.

Remove the Authorization header and send the request again.

If your API responds with anything other than 401 Unauthorized, it’s lying.

Correct Response Codes

• 401 – “I don’t know who you are.”
• 403 – “I know who you are, but you’re not allowed.”

If there is no token at all and you return 403, you’ve just sent developers on a wild‑goose chase through roles, scopes, and permissions — while the real problem is simply… there is no authentication.

Consequences of Wrong Codes

• Returning 403 instead of 401 turns a 1‑second fix into a 45‑minute debugging session and a Slack thread.
• Returning 400 or, even worse, 500 for missing auth isn’t a corner case; it’s architectural debt with a sense of humor.

Recommendation

Authentication must fail fast, clearly, and honestly.

• No token? 401.

Not complicated.

Full breakdown here: 👉