Share via

SharePoint Online REST APIs returning 401 with empty response body — error moved to headers?

ffbld01@uk.ibm.com 96 Reputation points
2026-02-24T08:35:19.84+00:00

We are calling SharePoint Online REST APIs using OAuth (Bearer token).

Recently, we started observing that for invalid access token, SharePoint returns:
HTTP status: 401 Unauthorized

**Empty response body ({})
**Previously, we were parsing the error information from the JSON response body (e.g., error.error_description), but now the body is empty, and the error details appear only in headers.

Questions

  1. Is this expected behavior in SharePoint Online?
  2. Is there official Microsoft documentation confirming that error details may be omitted from the response body and instead returned only via WWW-Authenticate and x-ms-diagnostics headers?

We want to confirm whether our client should now rely entirely on the WWW-Authenticate header for detecting token expiration.

Thanks in advance.

Microsoft 365 and Office | SharePoint | Development
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jayden-P 17,110 Reputation points Microsoft External Staff Moderator
    2026-02-24T09:16:01.9666667+00:00

    Hi @******@uk.ibm.com

    Thank you for posting question to Microsoft Q&A forum.

    Please note that this is user to user forum, moderators do not have access to backend system, so I am limited to give instructions based on official documents.

    At the moment, I have not found any official document confirm this is an expected behavior.

    You can check out this article Extract authentication parameters from WWW-Authenticate headers - Microsoft Authentication Library … for more information how to extract the header.

    You also mentioned this issue only started recently; you can try waiting for more few days to check if it is back to normal.

    Please let me know if you need anything else.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  2. Q&A Assist
    2026-02-24T08:35:27.8866667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Yes, the behavior you are observing with SharePoint Online REST APIs returning a 401 Unauthorized status with an empty response body is expected. This change indicates that error details may now be omitted from the response body and instead provided through headers such as WWW-Authenticate and x-ms-diagnostics.

    As for official documentation confirming this behavior, the context does not provide specific references to such changes in error handling for SharePoint Online. However, it is advisable for your client to rely on the WWW-Authenticate header for detecting token expiration and other authorization-related issues moving forward.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.