top | item 26226520

(no title)

403 is unauthorized (forbidden due to authorization policy).

401 is unauthenticated (not logged in).

Very important difference for clients handling authentication state.

discuss

That is not false, I didn't not fail to notice that after fixating on the incorrect double negative! However, not to be unfair, 401 is unfortunately not named "unauthenticated", even though it's conventional usage (as you point out) is not unintended to actually mean lack of authentication rather than of authorisation.