John Galloway perfectly explains this in his ASP.NET Web API screencast - Authorization (Highly Recommended Viewing)
For some api controller, for example below, where you used the Authorize attribute.
[Authorize] public class CommentsController : ApiController { ... }
He says: if a client makes an unauthorized request, AuthorizationFilter does the only thing that makes sense for the HTTP API - it returns an HTTP 401 status code, authorization is required. Again, we returned to the importance of using HTTP for the API - we donβt need to order anything, any client on any platform will know what the HTTP 401 response means.
This is a solution for the client to decide what to do when they receive 401. In this JavaScript / browser-based example, we simply redirect to the client login page.
$(function () { $("#getCommentsFormsAuth").click(function () { viewModel.comments([]); $.ajax({ url: "/api/comments", accepts: "application/json", cache: false, statusCode: { 200: function(data) { viewModel.comments(data); }, 401: function(jqXHR, textStatus, errorThrown) { self.location = '/Account/Login/'; } } }); }); });
Here, in the example, if 401 meets you to decide what needs to be done.
Hope this helps.