SIP Response Code

SIP 401 Unauthorized

7 min read · Updated April 2026

SIP 401 Unauthorized is not always an error. It is a normal part of the digest authentication challenge-response flow. When 401 loops or never resolves to 200 OK, something in the auth exchange has failed.

In this guide

01How SIP digest authentication works 02Normal 401 vs error 401 03Common causes of 401 failure 04Fixing 401 in Asterisk 05Fixing 401 in Kamailio/OpenSIPS 06Diagnosing from a SIP trace

1. How SIP digest authentication works

SIP digest authentication follows a challenge-response pattern defined in RFC 3261. The flow for a REGISTER:

Client sends REGISTER with no credentials
Server responds 401 Unauthorized with a WWW-Authenticate header containing a nonce and realm
Client computes MD5(username:realm:password) combined with the nonce and other fields
Client resends REGISTER with Authorization header containing the computed digest
Server verifies the digest and responds 200 OK if correct

; Step 2 - 401 challenge from server
SIP/2.0 401 Unauthorized
WWW-Authenticate: Digest realm="sipsymposium.com",
  nonce="abc123def456",
  algorithm=MD5,
  qop="auth"

; Step 4 - Client response with credentials
REGISTER sip:sipsymposium.com SIP/2.0
Authorization: Digest username="1001",
  realm="sipsymposium.com",
  nonce="abc123def456",
  uri="sip:sipsymposium.com",
  response="d41d8cd98f00b204e9800998ecf8427e",
  algorithm=MD5,
  qop=auth,
  nc=00000001,
  cnonce="0a4f113b"

The same pattern applies to INVITE requests when proxy authentication is required, except the server sends 407 Proxy Auth Required instead of 401.

2. Normal 401 vs error 401

Normal 401: You see one 401 followed immediately by a re-REGISTER with Authorization header, followed by 200 OK. This is correct behavior — the 401 is the challenge, not the error.

Error 401: You see 401 repeating without a 200 OK. This means authentication is failing. The phone or PBX is sending credentials but the server keeps rejecting them.

; Normal auth flow (correct)
REGISTER -> 401 -> REGISTER (with auth) -> 200 OK

; Failed auth loop (error)
REGISTER -> 401 -> REGISTER (with auth) -> 401 -> REGISTER -> 401 ...

; No credentials sent at all (misconfiguration)
REGISTER -> 401 -> (silence - client gives up)

3. Common causes of 401 failure

Cause 01

Wrong password

The most common cause. The password in the phone or PBX trunk does not match the server. Passwords are case-sensitive. Check for leading/trailing spaces. Some systems store HA1 hash instead of plain text — verify which format your server expects.

Cause 02

Realm mismatch

The realm in the 401 WWW-Authenticate header must match the realm configured in the client. If your PBX is configured with realm "example.com" but the server sends realm "sip.example.com", the digest will not match. Check the exact realm string in both places.

Cause 03

Username mismatch

The username in the Authorization header must match the user record on the server. Some systems use the extension number (1001), others use a full SIP URI (1001@example.com), and some use a separate auth username distinct from the display name.

Cause 04

Nonce expiry

Servers issue nonces with a limited validity window. If the client takes too long to respond (clock skew, slow network), the nonce expires and the server rejects the auth with a fresh 401 containing a new nonce. Check server and client clocks are synchronized via NTP.

Cause 05

SIP ALG corrupting auth headers

SIP ALG on a router or firewall can rewrite the Authorization header, corrupting the digest calculation. The server receives a modified auth header that no longer matches the expected hash. Disable SIP ALG on all network devices in the path.

4. Fixing SIP 401 in Asterisk

PJSIP authentication debugging

; Enable verbose logging
asterisk -r
pjsip set logger on
core set verbose 5

; Check auth object configuration
pjsip show auth myauth

; Verify endpoint uses correct auth
pjsip show endpoint myendpoint | grep auth

; Check registration status
pjsip show registrations

Common Asterisk auth fixes

; pjsip.conf - correct auth configuration
[myauth]
type=auth
auth_type=userpass
username=1001
password=correctpassword    ; must match server exactly

[myendpoint]
type=endpoint
auth=myauth                 ; inbound auth
outbound_auth=myauth        ; outbound auth (for trunks)

; For registration auth:
[myreg]
type=registration
outbound_auth=myauth
server_uri=sip:sip.provider.com
client_uri=sip:1001@sip.provider.com

5. Fixing SIP 401 in Kamailio and OpenSIPS

; Kamailio routing script - debug auth failures
request_route {
    if (is_method("REGISTER")) {
        xlog("L_INFO", "[$ci] REGISTER from $fu realm=$fd
");

        if (!www_authorize("", "subscriber")) {
            xlog("L_WARN", "[$ci] Auth failed for $fu - checking reason
");
            xlog("L_WARN", "[$ci] Auth error: $avp(auth_err)
");
            www_challenge("", "0");
            exit;
        }
        xlog("L_INFO", "[$ci] Auth passed for $fu
");
        save("location");
        exit;
    }
}

; Check subscriber table has correct HA1 hash
; HA1 = MD5(username:realm:password)
; Generate with: echo -n "1001:realm:password" | md5sum

In OpenSIPS, use opensipsctl add 1001@example.com password to create subscribers — this generates the correct HA1 hash automatically. Never manually insert plain text passwords into the subscriber table.

6. Diagnosing 401 from a SIP trace

In a SIP trace showing a 401 loop, look for these indicators:

Realm in WWW-Authenticate: Does it match your client configuration?
Algorithm: MD5 is standard. Some servers require MD5-sess — check both sides match
qop value: If server sends qop="auth" the client must include nc and cnonce. Missing these causes auth failure
Stale flag: If server sends stale=true in the 401, the nonce expired but credentials are correct — clock sync issue
Response field: The 32-character hex string — if this keeps changing with the same credentials, the digest computation is correct but something else is wrong

Frequently asked questions

What does SIP 401 Unauthorized mean?

SIP 401 Unauthorized is a digest authentication challenge. It means the server is asking the client to prove its identity before processing the request. A single 401 followed by a re-REGISTER with credentials and a 200 OK is normal. Repeated 401 responses without a 200 OK indicate authentication failure — wrong password, realm mismatch, or corrupted auth headers.

Why does SIP keep returning 401 in a loop?

SIP 401 loops are caused by wrong credentials (password mismatch), realm mismatch between client and server configuration, SIP ALG on a router corrupting the Authorization header, nonce expiry due to clock skew, or username format mismatch. Enable SIP debug logging and check the exact realm string in the 401 WWW-Authenticate header against your client configuration.

What is the difference between SIP 401 and SIP 407?

SIP 401 Unauthorized is sent by the endpoint or registrar challenging the client directly. SIP 407 Proxy Authentication Required is sent by an intermediate SIP proxy requiring authentication before forwarding the request. The auth mechanism is the same (digest), but 401 uses WWW-Authenticate and Authorization headers while 407 uses Proxy-Authenticate and Proxy-Authorization headers.

Getting SIP 401 authentication loops?

Paste your SIP trace into SIPSymposium. The analyzer identifies auth loop patterns, realm mismatches, and nonce expiry issues in SIP 401 authentication failures.

Analyze my trace Create free account

Related guides