Which WWW-Authenticate header to use?

[sebsel]

The spec states the following:

If the token is not valid, the endpoint MUST return an appropriate HTTP 400, 401 or 403 response. The response body is not significant.

Then, for a 401, we should also add a WWW-Authenticate header:

The 401 (Unauthorized) response message is used by an origin server to challenge the authorization of a user agent. This response MUST include a WWW-Authenticate header field containing at least one challenge applicable to the requested resource. [source]

What kind of challenge should that be? Is the header WWW-Authenticate: IndieAuth acceptable, should it be WWW-Authenticate: Bearer, or something different?

[Zegnat]

Because the token endpoint part of the flow seems to solely use Bearer tokens and rely a lot on core OAuth 2.0 mechanics (e.g. revocation is basically RFC 7009 without modifications), I went with RFC 6750 error responses for Mintoken. Those all use WWW-Authenticate: Bearer.

The AutoAuth draft also went with WWW-Authenticate: Bearer, although I forget the rationale behind that. @sknebel mind commenting?

That said it may be nice to get some examples and/or clarifications about error responses in the IndieAuth spec. As I still have questions.