I believe status 400 is in error. A request needing authentication should be 401, if I understand correctly. From Wikipedia:
401 Unauthorized (RFC 7235)
Similar to 403 Forbidden, but specifically for use when authentication is required and has failed or has not yet been provided. The response must include a WWW-Authenticate header field containing a challenge applicable to the requested resource. See Basic access authentication and Digest access authentication.
I believe status 400 is in error. A request needing authentication should be 401, if I understand correctly. From Wikipedia: