Page Builder Summit Limited Time Offer - 20% OFF! Use coupon PBS20 - View Details

401 Unauthorized Error Message

A 401 unauthorized error message indicates that the request has not been applied because it lacks valid authentication credentials for the target resource. There are various reasons this might happen and some of the most common reasons are listed below.

WordPress Plugins

Some WordPress plugins have an option to disable the WordPress REST API. Modern form plugins such as WS Form use the WordPress REST API for the administering your form but also for form submissions. In fact many other WordPress features such as the block editor and blog post comments use this feature too. It provides you with a stable and secure means by which to accept form submissions. You should therefore ensure that the WordPress REST API is not disabled or blocked.

Plugins which block the WordPress REST API will typically return the following message:

{"code":"rest_forbidden","message":"Sorry, you are not allowed to do that.","data":{"status":401}}

Some WordPress security plugins may also accidentally block access to certain URLs. Check if your security plugin has blocked any paths that might be used by WS Form. Temporarily disabling your security plugin may help isolate the issue to that particular plugin. The WordPress REST API starts with the following path:


The WS Form API path starts with:


Password Protected Pages

Make sure that you have no password protected makes incorrectly, otherwise accessing those pages without a password will result in a 401 error. In particular, WS Form uses the WordPress REST API therefore you should ensure access to pages under:


… are accessible without a password unless absolutely necessary.


If you have page caching enabled and it is incorrectly configured it might cause form editing or submissions to fail. Systems that cache web pages such as Cloudflare, Cloudfront and also WordPress plugins that provide page caching can cause this error to occur if they are not configured correctly.

The reason for this may be a WordPress feature called a NONCE (Number used ONCE). A nonce is a unique code that is sent to your web server whenever your form talks to WordPress in the background. Their intended purpose is to ensure that data sent to your website is from a valid source and they helps prevent unauthorized access to your website.

WS Form and other popular plugins use this feature to secure your website.

NONCE values are valid for 12 hours, after which any subsequent use of that value will result in an error.

If the page cache timeout setting is set to a value that is too long, an expired nonce may continue appear in web pages and this will result in this error.

To ensure your WordPress website is able to handle nonce values properly, we recommend that any page caching is set to 10 hours OR LESS. In the majority of cases, a page cache duration of 1 hour or less is sufficient.

Please refer to your caching plugin, CDN or other caching mechanism about checking changing this setting.

For more information about nonces, please visit: