I.e. if bad username or password, include this in the response body, for the clients' sake Make sure integration tests reflect this