The use of 401 Unauthorized is an annoying one because of a little thing in the ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		shdon on Nov 17, 2014 \| parent \| context \| favorite \| on: Some REST best practices The use of 401 Unauthorized is an annoying one because of a little thing in the spec: The response MUST include a WWW-Authenticate header field (section 14.47) containing a challenge applicable to the requested resource. AFAICT, This makes it makes it inapplicable to REST APIs that do not use basic or digest authentication, at least without violating the spec for the 401 response code. Is there something that I've missed?

justinsb on Nov 17, 2014 | | [–]

Why not pass a dummy value to satisfy the spec?

dragonwriter on Nov 17, 2014 | | [–]

Because a dummy value satisfies the syntax but not semantics of the spec.

hawleyal on Nov 17, 2014 | [–]

400 Bad Request is often a better, albeit generic, option.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact