For authentication problems, I prefer to use a 412 Precondition Failed. For most of my APIs, I assume that the user is logged in (the Precondition). Although it would be more semantically correct to send the Unauthorized header, I prefer to avoid it since browsers will normally handle it by asking a user to login. Which is confusing and impossible, since my web server is definitely not set up to handle it.