The kind of authorization failure, mapped to an HTTP status + WWW-Authenticate error parameter by the transport (RFC 6750 §3.1).
authorized; proceed
no Authorization: Bearer header -> 401 (no error code)
token rejected / wrong audience -> 401 invalid_token
token lacks a required scope -> 403 insufficient_scope
The kind of authorization failure, mapped to an HTTP status + WWW-Authenticate error parameter by the transport (RFC 6750 §3.1).