Authentication proves who you are (usually by means of some password or token). Authorization proves what you can do. An http 401 error is for the former and an http 403 is for the latter. Note the confusion of terms. http 401s are named Unauthorized while they really mean not authenticated.