Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

A distinct HTTP status for not logged in vs. not authorized in a RESTful API

Tags:

So send a few different status headers in my API including 404, 409, 201, 302 and the like. Now I'm running into issues with 401 Unauthorized. I'm currently sending it if a user is not logged in (the entire API is rights managed) or if a user doesn't satisfy the specific access requirements for the particular resource being retrieved/modified.

Now, I also control the frontend client (a jQuery/HTML application), and I'd like to differentiate between the two cases for 401. Is there a distinct status I should be using for not logged in? Is the best way to handle it to send body content alongside the header?

like image 431
Steven Avatar asked Aug 19 '10 22:08

Steven


1 Answers

You should use 403 to indicate that the user isn't authorized to access the resource. Using 401 is for indicating that the user needs to supply credentials just as you are currently using it. See the descriptions of 401 and 403 here.

like image 79
laz Avatar answered Oct 27 '22 19:10

laz