> ## Documentation Index
> Fetch the complete documentation index at: https://docs.lasscyber.com/llms.txt
> Use this file to discover all available pages before exploring further.

# unauthorized

> HTTP 401 — missing, expired, or invalid credentials.

|                 |                                        |
| --------------- | -------------------------------------- |
| **HTTP status** | `401 Unauthorized`                     |
| **Code**        | `unauthorized`                         |
| **Retry?**      | No — refresh credentials and re-issue. |

## When this happens

The request reached the API but authentication failed. Common causes:

* No `Authorization` header at all.
* The header is present but the bearer token is empty / malformed.
* The API key has been deleted (rotated out).
* The Auth0 JWT has expired.
* The `Agnes-Version` is so old the server cannot accept its credentials.

The 401 is independent of *authorisation* (your scope set, role,
tenant access). Authentication failures are 401; authorisation
failures are [`forbidden`](/errors/forbidden) (403).

## Example response

```json theme={null}
{
  "detail": "Invalid authentication credentials",
  "code": "unauthorized",
  "request_id": "5b3f6c7e-7d24-4d40-9b12-3a59c01c6e91",
  "doc_url": "https://docs.lasscyber.com/errors/unauthorized"
}
```

## How to fix

1. Confirm the `Authorization: Bearer …` header is set.
2. Confirm the token's prefix:
   * `ak_` for live keys.
   * `ak_test_` for sandbox keys.
   * JWT for Auth0-authenticated dashboard requests.
3. If using API keys, mint a fresh one in
   [`agnes.lasscyber.com/keys`](https://agnes.lasscyber.com/keys) and
   delete the old one once the new one is rolled out.
4. If using JWTs, sign in again from the dashboard.

## SDK behaviour

| SDK        | Exception                   |
| ---------- | --------------------------- |
| Python     | `agnes.AuthenticationError` |
| TypeScript | `AuthenticationError`       |

Both SDKs surface `request_id` on the exception. SDKs do **not** retry
401s automatically; the only way out is to refresh credentials.

## Related

* [Authentication](/get-started/authentication) — bearer headers, key
  rotation, version pinning.
* [`forbidden`](/errors/forbidden) — authentication succeeded but
  authorization failed.
