n8n HTTP Request Node 401 Error

Step by Step Guide to solve n8n HTTP Request Node 401 Unauthorized Error

 

---

 

Who this is for: Workflow developers who use n8n to call external APIs and encounter a 401 Unauthorized response from the HTTP Request node. We cover this in detail in the n8n Node Specific Errors Guide.

---

Quick Diagnosis

Problem: The HTTP Request node returns 401 Unauthorized because the request lacks valid authentication.

Quick fix

Step	Action	n8n setting
1	Confirm the API’s auth type (Basic, Bearer, OAuth2, API‑Key)	**Authentication** dropdown
2	Create the matching **Credential** and fill required fields	**Credentials** panel
3	Attach the credential (or add a custom header) to the node	Credential selector / **Headers** section
4	Run a minimal **GET** request → expect 200/204	**Execute Node**

If the error persists, verify token scope, expiration, and any required custom headers (e.g., X‑API‑KEY).

1. Why a 401 Appears in the HTTP Request Node

If you encounter any n8n http request node timeout resolve them before continuing with the setup.

A 401 response means the server could not verify the client. In n8n this usually stems from one of the following:

Root cause	Typical manifestation
Missing or malformed Authorization header	No Authorization header or value is malformed
Expired / revoked token (Bearer, OAuth2)	Credential still holds a stale token
Incorrect Basic Auth encoding	Username/password not base64‑encoded
API‑Key required in a custom header (e.g., X‑API‑KEY)	Only standard Authorization header is sent
IP‑whitelisting or domain restrictions	Server blocks the request from n8n’s IP

Identifying the exact cause is the first step to a deterministic fix.

2. Step‑by‑Step Troubleshooting Workflow

If you encounter any n8n http node invalid json response error resolve them before continuing with the setup.

2.1 Identify the API’s Authentication Scheme

1. Open the API documentation.
2. Locate the Authentication section – note whether it uses Basic, Bearer, OAuth2, API‑Key (header or query), or a custom scheme.

EEFA note: APIs such as Salesforce or Google use OAuth2 with a refresh token. A static access token will cause 401 after it expires.

2.2 Create the Correct Credential in n8n

Auth type	Credential type	Required fields
Basic	HTTP Basic Auth	Username, Password
Bearer token	HTTP Bearer Token	Token
OAuth2 (Authorization Code)	OAuth2 API	Client ID, Client Secret, Access Token URL, Authorization URL, Scope
API‑Key (header)	API Key	Header Name, Key Value
API‑Key (query)	API Key (query)	Parameter Name, Key Value

Create or edit the credential → Credentials → Add New → select the appropriate type → fill fields → Save.

2.3 Attach the Credential to the HTTP Request Node

1. In the node’s Authentication dropdown, select the credential you just created.
2. If the API expects the token in a custom header (not Authorization), enable Add Custom Header and type the header name/value manually.

2.4 Validate with a Minimal Payload

Purpose: Isolate authentication from other request elements.

• Method: GET
• URL: the endpoint you’re testing
• Body / Query: none
• Headers: only the auth‑related ones

Click Execute Node.

Expected outcome – 200 OK (or 204 No Content). If you still receive 401, move to the “Common Pitfalls” section.

3. Common Pitfalls & Resolutions

Pitfall	Symptom	Fix
Base64 encoding error (Basic Auth)	401 even though username/password are correct	Use n8n’s HTTP Basic Auth credential – it handles encoding automatically. If you manually set an Authorization header, encode username:password with base64.
Token expired (Bearer / OAuth2)	401 after a few hours of successful runs	Refresh the token. For OAuth2, enable Auto Refresh in the credential. For static Bearer tokens, regenerate the token from the provider.
Missing required scope (OAuth2)	401 with message “insufficient_scope”	Add the missing scope(s) in the credential’s Scope field and re‑authenticate.
Wrong header name (API‑Key)	401 but docs say use X‑API‑KEY	Use Add Custom Header; do not rely on the generic Authorization field.
IP whitelist not updated	401 despite correct credentials	Add your n8n instance’s public IP (or VPC CIDR) to the API’s whitelist.
Trailing slash / URL mismatch	401 only on production URL	Replicate the exact URL (protocol, sub‑domain, trailing slash) shown in the docs.

EEFA warning: Storing long‑lived bearer tokens in plain‑text credentials is a security risk. Prefer OAuth2 flows with automatic refresh, or encrypt the token using n8n’s Secrets feature.

4. Real‑World Configuration Examples

If you encounter any n8n webhook node missing signature resolve them before continuing.

Below are concise snippets (≤ 5 lines each) that you can paste into n8n’s **HTTP Request** node UI.

4.1 Basic Auth – GitHub API

Context – Retrieve the authenticated user’s profile.

{
  "method": "GET",
  "url": "https://api.github.com/user",
  "authentication": "basicAuth"
}

*In n8n*:

• **Authentication** → Basic Auth
• Choose the **GitHub Basic Auth** credential you created (username + personal access token).

4.2 Bearer Token – Stripe

Context – List Stripe customers.

{
  "method": "GET",
  "url": "https://api.stripe.com/v1/customers",
  "headers": {
    "Authorization": "Bearer sk_test_4eC39HqLyjWDarjtT1zdp7dc"
  }
}

*In n8n*:

• **Authentication** → Bearer Token
• Attach the **Stripe Bearer Token** credential.

4.3 OAuth2 with Auto‑Refresh – Google Drive

Context – Read‑only access to Drive files.

{
  "method": "GET",
  "url": "https://www.googleapis.com/drive/v3/files",
  "authentication": "oAuth2"
}

*Credential setup*

1. **OAuth2 API** credential → fill Client ID, Client Secret, Auth URL, Token URL.
2. Scope: https://www.googleapis.com/auth/drive.readonly
3. Enable “Auto Refresh”.

n8n will fetch a fresh access token automatically, preventing 401 due to expiry.

4.4 API‑Key in Custom Header – SendGrid

Context – Retrieve marketing contacts.

{
  "method": "GET",
  "url": "https://api.sendgrid.com/v3/marketing/contacts",
  "headers": {
    "Authorization": "Bearer SG.xxxxxxxx",
    "X-API-KEY": "my‑sendgrid‑key"
  }
}

*In n8n*:

• Set **Authentication** to None.
• Under **Headers**, add two entries:
  1. Authorization → Bearer SG.xxxxxxxx
  2. X-API-KEY → my‑sendgrid‑key

5. Pre‑Run Checklist

• Confirm the API’s auth type (Basic, Bearer, OAuth2, API‑Key).
• Create a dedicated **Credential** matching that type.
• Attach the credential (or custom header) to the HTTP Request node.
• Test with a minimal GET request → expect 200/204.
• Verify token freshness (OAuth2 auto‑refresh enabled).
• Ensure the n8n server IP is whitelisted if required.

Running through this checklist eliminates most 401 scenarios before they reach production.

6. Advanced Troubleshooting

Situation	Diagnostic steps	Resolution
401 only on POST/PUT	Compare request bodies; some APIs reject missing required fields.	Add the missing fields; set Content-Type to application/json.
401 after a redirect (3xx)	Enable **Follow Redirects** and inspect the Location header.	Some APIs require auth on the final URL – disable **Allow Unauthorized Redirects** and ensure credentials are sent after redirection.
Rate‑limit combined with 401	Check response headers for Retry-After.	Wait the indicated time, then retry; confirm you’re not hitting a secondary auth endpoint.
Dynamic token per request (e.g., JWT)	Use a **Function** node to generate the token, then pass it to the HTTP Request node.	Set the header expression: Authorization: Bearer {{$json["token"]}}.
Need to capture failures	Add an **Error Trigger** that catches 401, logs details, and optionally notifies Slack.	Prevent silent downstream failures and accelerate incident response.

EEFA tip: Wrap production HTTP calls in a Try / Catch pattern. On 401, the catch branch can refresh credentials or raise an alert, keeping the workflow resilient.

8. Conclusion

A 401 Unauthorized response in the n8n HTTP Request node is almost always an authentication mismatch. By:

1. Identifying the exact auth scheme,
2. Creating the matching credential,
3. Attaching it (or a custom header) correctly, and
4. Validating with a minimal request,

you eliminate the majority of failures. Enable token auto‑refresh for OAuth2, keep API keys out of plain text, and verify any IP‑whitelisting requirements. With these practices, your n8n workflows will handle production‑grade API integrations reliably and securely.