(no title)

Why would you want to announce to the client that he is tripping on a security? When erratic behaviour is detected, systems usually deny access or request more authentication.

In the second case, this seems like a nice quality of life code, but this should be mentioned in the rfc and not left for me to figure out. Besides, a more generic "please reauthenticate now" would fit better (as to not expose the reason?) or even reusing the 403 forbidden could work for this usecase.