Auth0 Home Blog Docs

What is the most suitable response status code on bad credentials for get JWT token?



HTTP specify 401 (Not Authorized), but it must be contain header WWW-Authenticate. As i know JWT RFC dont specify way for get token. That’s whay i think is nor correct write:

WWW-Authenticate: JWT

Some frameworks as i saw (rest-framework, flask-api) send 400 (Bad request).
What is the most valid response status code on bad credentials for get JWT token?


The most common usage of JWT for request authorization is done according to the OAuth2 bearer tokens specification. In this situation any party (the bearer) in possession of a valid token can perform an authorized call as the resource server (API) just validates the token itself.

According to this specification, the way to signal to the calling party that the request either needs to include a bearer access token or that the one received is not valid would be to include the following response header as part of a 401:

WWW-Authenticate: Bearer realm="example"

Where the realm parameter is optional so it could be reduced to just replying with the Bearer authentication challenge.

Have in mind that the following applies to a request that requires a bearer access token, if you’re referring to the a request that is meant to obtain a bearer access token then you should comply to what OAuth2 mandates as part of the grants available to obtain OAuth2 access tokens. Although OAuth2 does not mandate a particular access token format, it’s common to use JWT’s.


it truth after client have token. But i sad about situation when client don’t have token and try to get it:

POST https://someurl -d login=my_login password=my_password
he wait a token, but can get a 401


That scenario is covered in the last paragraph of the answer; if it’s a request to obtain an access token according to OAuth2 then you should check the core OAuth2 RFC so that the responses comply with the spec. If it’s something custom then the response is possibly something doing also something custom, but if it’s an endpoint that requires username/password authentication then the challenge should probably be associated with the HTTP basic authentication scheme.