Reminder:

401 basically means that you need to authenticate first and that with a correct authentication, the request might be accepted.

403 means that the current user does not have access to the resource and it's useless to retry the request.

In short terms, 401 is for authentication issue, 403 is for access issue.

Ref: http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html

Unfortunately, our REST API mostly uses 401 instead of 403 and sometimes uses both wrongly
Example: https://github.com/ezsystems/ezpublish-kernel/blob/master/doc/specifications/rest/REST-API-V2.rst#untrash-item

as a result in the current state, it's close to impossible to correctly handle authentication, access and "normal" errors