401 Unauthorized Credentials error

Jerry_Holmes · July 20, 2025, 2:53pm

I am getting a 401 Unauthorized Credentials error when a new user goes to create an account. This occurs right after they enter their email address in the hosted login form. This does not occur if the user tries to login with an existing email, only when creating a new account. All other Stytch functions seem to work. It also works fine if you try to create a new account on a different computer (i.e. One where the user has been logged out for a while). Any help is appreciated.

Here’s the details:

Field

Value

@timestamp

2025-07-20T14:27:43.412Z

action

PasswordsCreate

email

burton2065@gmail.com

eventId

event-test-ae811535-c3cf-42a4-817d-08d441001af3

httpStatusCode

401

projectId

project-test-0d7cc327-48a0-4870-a6a4-4558d066e268

requestId

request-id-test-cc77a650-0eff-41fa-95a2-d8308ddcd9e4

sessionDurationMinutes

30

status

Error

stytchApiError.errorMessage

Unauthorized credentials.

stytchApiError.errorType

unauthorized_credentials

stytchApiError.errorUrl

https://stytch.com/docs/api/errors/401#unauthorized_credentials

stytchApiError.requestId

request-id-test-cc77a650-0eff-41fa-95a2-d8308ddcd9e4

stytchApiError.statusCode

401

userAgent

Stytch.js Javascript SDK/v5.17.0

matt-stytch · July 21, 2025, 1:52pm

Hi Jerry - thanks for posting!

I see you also asked this question in our Community Slack, which I happened to see first and just responded to. I’ll paste my response below for posterity in case anyone else has a similar question:

It looks like the 401 unauthorized_credentials error here is occurring because an existing, valid Stytch Session is being sent along with the request.

I’m seeing that this request was made via our frontend JS SDK. If a user is logged in, or if there is otherwise a Stytch Session still present in browser cookies, it will automatically be sent along with any requests for authentication.

The Password Create method being called here in particular does not support this; it is intended to be used when there is not an existing Session, and creates a new Stytch User and a corresponding Stytch Session.

From your description it sounds like the Stytch Session being sent along here is hanging around by accident, and that when this error occurs you expect the starting state to be a logged-out state - is that right?

Jerry_Holmes · July 21, 2025, 3:07pm

You are exactly and precisely correct.

Is there something I can do to explicitly shut down the session?

matt-stytch · July 21, 2025, 3:19pm

Yes, our Revoke Session method ( session.revoke() ) was created to do exactly that!

If this was happening consistently, we’d also recommend looking into why the Session was still around in the first place - for example if your application has a logout flow that isn’t properly revoking the existing Session, or something similar. Happy to answer any other questions that might arise.

Jerry_Holmes · July 21, 2025, 3:23pm

I will audit what happens when the user is logging out. This scenario really only occurs when product testing, because a tester a) creates and account as an admin b) then logs out and c) attempts to test the newly created account. So it’s an edge case… but one that needs to be addressed.

Thank you for your help and stay tuned. I’ll mark this as a solution later today if all works out.

matt-stytch · July 21, 2025, 3:55pm

Sounds good, keep us posted!

Topic		Replies	Views
Stytch_sessnion_jwt is empty (0 length) Questions	14	31	October 23, 2025
Stytch session not being created Questions oauth , sessions	2	648	February 1, 2023
passwords.resetByExistingPassword Questions	11	532	February 21, 2023
Example code for adding email to a user account? Questions	3	976	August 30, 2023
Integrate Stytch with Spring Security Questions user-management , email-magic-links	19	1353	August 21, 2024

401 Unauthorized Credentials error

Related topics