511 Network Authentication Required 5xx
The client needs to authenticate with the network before being granted access — common with public Wi-Fi captive portals.
What does 511 mean?
A 511 Network Authentication Required response means the client needs to authenticate with the network itself — not with the website or service they're trying to reach — before any internet access is granted. This is the standardized status code behind the experience of connecting to public Wi-Fi (at a coffee shop, airport, hotel) and being shown a login/terms-acceptance page before you can browse anywhere.
This is conceptually distinct from 401 (which is about authenticating with a specific server/application) — 511 is about authenticating with the network infrastructure itself, which then affects access to everything, not just one site.
How a 511 behaves
- It's typically generated by the network's captive portal infrastructure, not by the actual website the client was trying to reach — when you try to load any site on a network requiring this, the network intercepts the request and returns 511 (or redirects to a portal page) instead of letting the request reach its real destination
- It can carry a body — typically the captive portal's login/terms page itself
- It applies network-wide — until the client completes whatever authentication the network requires (entering a room number, accepting terms, providing a code), all requests on this network may be intercepted this way, regardless of which site the client is trying to reach
Common causes
If you're operating network infrastructure:
- You're running a public/guest Wi-Fi network with a captive portal requiring login, terms acceptance, or payment before granting general internet access — 511 (or a captive-portal redirect) is how this is communicated at the HTTP level
If you're calling an API:
- If running on a device connected to a network with a captive portal, API requests might be intercepted and receive 511 (or portal content) instead of reaching the intended API — this would typically need to be resolved at the network/device level (completing the portal login) before API requests can succeed
If you're a website visitor:
- You've connected to public Wi-Fi (hotel, airport, cafe) and need to complete a login/terms page before you can access any website — this is 511 in action, even though most users never see "511" explicitly; they just see the portal page
How to fix it
As a network operator:
- 511 (or captive-portal redirect mechanisms) is the standard way to signal "authenticate with this network first" — implementing this correctly helps clients/devices recognize they're behind a captive portal (some operating systems specifically detect this and prompt the user to complete portal login)
As an end user:
- Open a browser and try to navigate anywhere — you should be redirected to the network's login/portal page; complete whatever's required (login, accept terms, enter a code) to gain general access
- Some devices automatically detect captive portals and prompt you; if not, manually opening a browser to any HTTP (not HTTPS) site often triggers the portal
As a developer whose app/API calls are failing on certain networks:
- This is a network-level issue, not something your application code can resolve — the user needs to complete the captive portal login at the OS/browser level before your application's network requests will succeed on that network
511 vs 401
| 401 Unauthorized | 511 Network Authentication Required | |
|---|---|---|
| Authenticating with | A specific server/application | The network infrastructure itself |
| Scope of the issue | This specific request/resource | All network access, until resolved |
| Who typically resolves it | The application (login, token refresh) | The user, via the network's captive portal interface |
Real-world examples
Public Wi-Fi captive portals — at airports, hotels, cafes, and similar venues — are the primary real-world manifestation of 511, even though most users experience this as "a webpage popped up asking me to log in to the Wi-Fi" rather than recognizing a specific status code. Modern operating systems (mobile and desktop) often have built-in captive portal detection, automatically opening a browser window to the portal page when they detect this situation, partly based on receiving 511 or similar signals when attempting connectivity checks.
SEO implications
None for the websites being accessed — 511 originates from network infrastructure, not from the destination website, so it has no bearing on how a website's own content is delivered or indexed (the website itself never even receives these intercepted requests).
FAQ
What's the difference between 511 and 401?
401 is about authenticating with a specific website/application's server. 511 is about authenticating with the network you're connected to — affecting access to everything on that network until resolved, not just one site.
Is 511 the "Wi-Fi login page" status code?
Essentially, yes — it's the standardized HTTP-level signal behind the captive portal experience common on public Wi-Fi networks, even though the actual user-facing experience is a webpage, not a visible "511" message.
Why would my app's API calls fail on certain networks?
If connected to a network with an unresolved captive portal (511), all outbound requests — including your app's API calls — may be intercepted by the network and never reach their intended destination, until the captive portal login is completed at the device/browser level.
Can a website itself return 511?
Not meaningfully — 511 specifically represents the network's response, intercepting traffic before it reaches the destination website. A website's own server wouldn't typically have a reason to return 511, since by the time a request reaches the website, network-level authentication (if required) would already need to have been resolved.
How do operating systems detect captive portals?
Often via periodic connectivity checks — the OS makes a request to a known URL expecting a specific response; if it instead receives something else (511, or a redirect to a portal page), the OS infers a captive portal is present and may prompt the user accordingly.
Fun fact
511 is one of the most widely experienced yet least recognized-by-number status codes in this entire reference — virtually everyone who's used public Wi-Fi has encountered the situation 511 represents, but almost no one thinks of it as "getting a 511" the way someone might recognize "404" — it's a status code whose real-world impact vastly outpaces its name recognition.