HTTP status codes / 4xx — Client errors
Authentication is missing or invalid; the name is misleading.
Despite the name, 401 is about authentication, not authorization: no credentials were sent, or they were wrong/expired. The response includes a WWW-Authenticate header describing the expected scheme.
curl -i https://httpbin.org/basic-auth/user/pass
Same request, no terminal: paste this into the cURL converter for native code, or straight into ReqPad on your phone.
Check that the Authorization header is actually being sent (proxies and redirects love stripping it), the token is not expired, and the scheme (Bearer vs Basic) matches what the API expects.
Server-side note: Server should send WWW-Authenticate naming the expected scheme. Clients: verify the header actually leaves your app — log the raw request.
The fastest way to pin down a 401 is to reproduce the exact request and inspect what actually went over the wire — status, headers, timing and body, without your app code in the way. That is what an API client is for; ReqPad does it from your phone, with every request saved to history.
400 Bad Request · 402 Payment Required · 403 Forbidden · 404 Not Found · 405 Method Not Allowed · 406 Not Acceptable — or the full reference.
Build the request, send it, read status + headers + timing — on your iPhone. Free to start.