Fix HTTP status code bug

[cxj]

I believe status 400 is in error. A request needing authentication should be 401, if I understand correctly. From Wikipedia:

401 Unauthorized (RFC 7235) Similar to 403 Forbidden, but specifically for use when authentication is required and has failed or has not yet been provided. The response must include a WWW-Authenticate header field containing a challenge applicable to the requested resource. See Basic access authentication and Digest access authentication.

[cxj]

PR 20 and 21 need to go together to make Travis happy, I believe.

[cxj]

Superseded by PR #22.