Which statement correctly distinguishes 401 Unauthorized from 403 Forbidden?

• A. 401 indicates missing or invalid authentication credentials; 403 indicates valid credentials but insufficient authorization.
• B. 401 indicates missing resource; 403 indicates invalid request formatting.
• C. 401 indicates internal server error; 403 indicates service unavailable.
• D. 401 indicates success; 403 indicates redirection.

Answer: (A)

The key idea is authentication versus authorization in HTTP status codes. A 401 means the client hasn’t provided valid authentication credentials (or none were provided) and the server is asking for them, often with a WWW-Authenticate challenge. A 403 means the client has authenticated, but does not have permission to access the resource due to insufficient authorization. The statement is correct because it captures that distinction: missing or invalid credentials map to 401, while valid credentials but insufficient authorization map to 403. The other choices mix up these meanings (for example, describing a missing resource or a bad request format, or labeling these codes as internal errors or success), which doesn’t fit how these status codes are defined.