Authentication 401 api proxy

Error 401 Unauthorized

Error 401 means the API request was not authenticated. In AI API proxy workflows, it usually points to a missing API key, wrong token, revoked key, malformed Authorization header, or a provider profile that sends the request to a different API than expected.

Snapshot

A 401 is an authentication failure. Check which key is loaded, which Base URL receives the request, whether the header format is correct, and whether the key is still active for that provider.

#error 401 #401 unauthorized #openai api 401 #claude code 401 #codex 401 #invalid api key

What Error 401 Means

Error 401 means the request reached an API endpoint, but the endpoint could not authenticate it.

For AI API proxies, this usually means the key, token, header format, or provider profile does not match the Base URL receiving the request.

Common Causes

  1. The API key is missing, empty, copied with extra spaces, revoked, expired, or belongs to another provider account.
  2. The Authorization header is malformed, such as missing the Bearer prefix for OpenAI-compatible APIs or using the wrong header for Anthropic-compatible APIs.
  3. The Base URL points to a different provider than the key was issued for, for example using an Anthropic key against an OpenAI-compatible proxy profile.
  4. Claude Code, Codex, Cursor, shell environment variables, or config.toml is reading an old key instead of the key you just edited.
  5. The proxy account is disabled, not activated, not allowed to call the selected model, or requires a different project, organization, or workspace setting.

How To Fix It

  1. Print or inspect the active environment variables and config files used by the tool, especially OPENAI_API_KEY, ANTHROPIC_API_KEY, ANTHROPIC_AUTH_TOKEN, and any provider-specific key.
  2. Confirm the Base URL and API key come from the same provider profile. Do not mix official OpenAI, Anthropic, and third-party proxy keys unless the provider explicitly documents that format.
  3. Check the request header format. OpenAI-compatible endpoints normally expect Authorization: Bearer YOUR_KEY, while Anthropic-compatible endpoints may use provider-specific auth headers.
  4. Create a fresh key in the provider dashboard and test one minimal request before changing complex Claude Code, Codex, Cursor, or CC Switch profiles.
  5. If the same key works in curl but fails in a CLI, restart the terminal or app and check whether another config file is overriding the expected key.

Checks For API Proxy Users

Test with the exact Base URL, API key, and model name used by the failing tool. A successful request with another key or another endpoint does not prove this profile is valid.

If a new key works in curl but fails in the CLI, the CLI is probably reading a stale environment variable, an old profile, or a different configuration file.

When To Change Provider

Change providers only after confirming the current key is disabled, the provider does not support the required auth flow, or the model is unavailable for your account. Most 401 errors are local configuration problems.

Related errors

Related guides

Related topics

FAQ

Common questions

Is Error 401 the same as Error 403?

No. A 401 usually means the request is not authenticated. A 403 usually means the request was authenticated but the account is not allowed to perform that action.

Why does the key work in one tool but fail in Codex or Claude Code?

Different tools may read different environment variables, config files, provider profiles, or auth headers. Check the exact key and Base URL loaded by the failing tool.

Should I switch API proxy providers after a 401?

Not first. A 401 is most often a key, header, or profile mismatch. Switch providers only after confirming the current provider has disabled the key or does not support the required authentication flow.