As a developer I want to use the right http-code for failed token authentication (401 vs 403)

[gernot303]

403 Forbidden vs 401 Unauthorized

401

If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials.

403

The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated.

RFC 2616

So in other words 401 means "You are either not logged in or your login is invalid", whereas 403 means "You do not have permissions to see this or no one has permissions".

The standard for 401 then goes on:

The response MUST include a WWW-Authenticate header field

In our case Bearer would be the appropriate scheme
This raises the question why we do not use the standard Authorization: Bearer <token> in the first place, since this is the suggested method for JWTs.
Not using this scheme currently also requires some minor configuration on the frontend-side (see the app.module)