In the spec the error status reponses are specified:
401 | Unauthorized | An error message string
403 | Forbidden | An error message string
Suggest clarifying that
HTTP Status responses are always in regards to the use of the PDP decision API and are unrelated to the decision outcomes.
A status 401 from the PDP itself means the HTTP client (usually a PEP) is not authorized to call the PDP (e.g. because no
authorization header was provided or was invalid). Likewise, an HTTP Status 403 being returned by a PEP to its client would
normally be based on a status 200 response from the PDP containing a "deny" decision.
In the spec the error status reponses are specified:
Suggest clarifying that