Blocked due to unauthorized request (401)
The "Blocked due to unauthorized request (401)" status means your server responded to Googlebot with HTTP 401 Unauthorized - a challenge for credentials. Googlebot does not authenticate, so the request fails and the URL cannot be indexed. Sometimes this is intentional (private admin areas), but most of the time it is a production leak of HTTP Basic Auth left over from staging or a misconfigured CDN rule.
What this GSC status means
Googlebot made an HTTP request for the URL and your server responded with a 401 Unauthorized status, typically accompanied by a WWW-Authenticate header asking for Basic, Digest, or Bearer credentials. Because Googlebot does not provide authentication, it cannot access the content and Google marks the URL as blocked. The URL is excluded from the index because Google has no content to evaluate. This is different from Blocked by robots.txt (robots.txt rule) or Blocked 403 (forbidden without auth challenge).
Common causes
- HTTP Basic Auth left enabled from staging/preview environments when DNS points at production.
- .htaccess or nginx auth_basic rules applied to the whole site or a subfolder.
- Cloudflare Access, Vercel password protection, or Netlify password protection still enabled.
- Paywalled or members-only content returning 401 to any unauthenticated visitor.
- API-only endpoints requiring Bearer tokens accidentally discoverable via sitemap or links.
- CDN origin authentication (signed URLs, IP allowlist) blocking crawler ranges.
- Middleware in Express, Next.js, Rails, or Django that gates routes without a valid session.
How it affects indexing
URLs returning 401 are not crawled, not indexed, and not discoverable in search results. Over time Google stops attempting to crawl them. If this status hits pages you intended to be public, the business impact is severe - zero organic traffic for affected URLs until the auth is removed. For new sites launching out of staging, it is the single most common cause of "our site is not showing in Google" complaints.
How to diagnose
Open a sample affected URL in a fresh incognito window - if a Basic Auth dialog appears, that is the cause. Test with curl -I URL and look for HTTP/1.1 401 and WWW-Authenticate header. In GSC, use URL Inspection - it will show the exact 401 response code. Check your hosting dashboard: Vercel Project Settings > General > Password Protection, Cloudflare > Access, Netlify > Site Settings > Access Control. Grep your .htaccess or nginx config for auth_basic.
How to fix
1. Test the URL in incognito - if an auth prompt appears, turn off the gating in your hosting or server config. 2. Apache: remove or comment out AuthType, AuthName, AuthUserFile, Require directives in .htaccess. 3. Nginx: remove auth_basic and auth_basic_user_file directives from your server block. 4. Vercel: Project Settings > Deployment Protection > set to Disabled for production. 5. Netlify: Site Settings > Access Control > remove password protection for production. 6. Cloudflare Access: either disable the app for your public domain or add a bypass policy for Googlebot. 7. If the page should genuinely stay private, remove it from sitemap.xml and any internal links. 8. For paywalled content, follow Google's structured data pattern (isAccessibleForFree, CreativeWork schema) instead of 401. 9. After fixing, run URL Inspection > Request Indexing to speed up recrawl.