If you’re looking to reduce confusion, I’d avoid using HTTP status codes in non-standard ways. Yeah it’s unfortunate that HTTP calls 401 “unauthorized”, but it has the meaning of “unauthenticated” everywhere else (e.g. “you have failed to prove who you are”), but basically all devs are familiar with this wart. 402 is “payment required”, using that for errors that should be 401 or 403 according to the HTTP spec is more confusing than just using 401 and 403 in spec compliant ways.

You can sort of convolute a reason why 401 Unauthorized is valid, based on the fact that most systems which control access to resources have a (often implicit) policy that users for whom the identity is not known are not allowed to access anything.

Therefore the request is unauthorized because the server wasn't able to authenticate the user. But that's still not consistent with 403 though, so it's not very satisfying.

But this also speaks to one of the nubs of the terminology issue. "Actors" are authenticated, "Actions" are authorized.

Yeah, I think if they were renaming these response codes today, they’d name them something more like “401 Not Authenticated” and “403 Not Authorized”, but it’s too late for that. And I personally think you can say that either an actor or an action is “not authenticated.”

Sorry, I meant I use 401, not 402.

And I use those terms in all error messages, documentation, and code. Otherwise I respect the standard.

Ah I see. If you mean you’re using 401 for “couldn’t authenticate this request”, and 403 for “you lack permissions to be allowed to do this”, then yeah, that’s standard, spec compliant usage.

- 403: I have it, but you should seek the admin to give you the right permission - 404: I don't even have that (lying)

Also in the http world, the header used for authentication is called “Authorization”