If an authentication failure occurs, an HTML response is sent. Everything should be in "application/json".
Bug watches keep track of this bug in other bug trackers.