diff --git a/web/docs/tutorials/todo-app/auth.md b/web/docs/tutorials/todo-app/auth.md
index 975ff1f4d..8d8801aec 100644
--- a/web/docs/tutorials/todo-app/auth.md
+++ b/web/docs/tutorials/todo-app/auth.md
@@ -220,7 +220,7 @@ Next, let's update the queries and actions to forbid access to non-authenticated
 import HttpError from '@wasp/core/HttpError.js'
 
 export const getTasks = async (args, context) => {
-  if (!context.user) { throw new HttpError(403) }
+  if (!context.user) { throw new HttpError(401) }
   return context.entities.Task.findMany(
     { where: { user: { id: context.user.id } } }
   )
@@ -231,7 +231,7 @@ export const getTasks = async (args, context) => {
 import HttpError from '@wasp/core/HttpError.js'
 
 export const createTask = async ({ description }, context) => {
-  if (!context.user) { throw new HttpError(403) }
+  if (!context.user) { throw new HttpError(401) }
   return context.entities.Task.create({
     data: {
       description,
@@ -241,7 +241,7 @@ export const createTask = async ({ description }, context) => {
 }
 
 export const updateTask = async ({ taskId, data }, context) => {
-  if (!context.user) { throw new HttpError(403) }
+  if (!context.user) { throw new HttpError(401) }
   return context.entities.Task.updateMany({
     where: { id: taskId, user: { id: context.user.id } },
     data: { isDone: data.isDone }