When building a REST API there is always confusion when do we need to respond with unauthorized (401) and when do we need to respond with Forbidden (403). If the integration team doesn’t aware of the status codes, it would cause ambiguity when dealing with the REST APIs.
This is recommended to use when the token is invalid or the API couldn’t able to identify/authenticate the user request. When REST API responded with a 401 status code, we need to verify whether the token is valid or expired.
This is recommended to use when the token is valid but the user request doesn’t have the privilege to access the requested resource/endpoint.
Please follow and like us:
Originally published at http://www.techmonks.org on July 15, 2020.