pmjones
commented
9 years ago There's some extended discussion about this under #13. In short, a 401 response mandates that you send back a WWW-Authenticate header, which is not necessarily what you always want to do. The problem is that there is no "not authenticated" response type (as vs "not authorized" which is a different thing).
cxj
The status 400 is in error. A request needing authentication should return HTTP status 401, if I understand the standard correctly.
From Wikipedia: 401 Unauthorized (RFC 7235) Similar to 403 Forbidden, but specifically for use when authentication is required and has failed or has not yet been provided. The response must include a WWW-Authenticate header field containing a challenge applicable to the requested resource. See Basic access authentication and Digest access authentication.