When making an authenticated request if an invalid API key is used (i.e. one not belonging to any user) then Carbon will return a 401 HTTP status, indicating that the user is unauthenticated and that their API key is bad. However, when an API key header is not included Carbon returns a 403 HTTP status, indicating that the user is authenticated but forbidden from accessing the resource. For consistency (and sanity) they should both return the same response.
There's an argument to be made for not distinguishing between 401 and 403 errors but I don't find it particularly compelling as it only leaks whether the API key you're using is valid—though perhaps it's something it would be better to ask @jcottr about.
When making an authenticated request if an invalid API key is used (i.e. one not belonging to any user) then Carbon will return a 401 HTTP status, indicating that the user is unauthenticated and that their API key is bad. However, when an API key header is not included Carbon returns a 403 HTTP status, indicating that the user is authenticated but forbidden from accessing the resource. For consistency (and sanity) they should both return the same response.
There's an argument to be made for not distinguishing between 401 and 403 errors but I don't find it particularly compelling as it only leaks whether the API key you're using is valid—though perhaps it's something it would be better to ask @jcottr about.