⁂

@mariusor I think what I try to do is:

401 - no authentication provided
403 - authentication is present and valid, but not authorized
400 - authentication is present but not valid, like missing fields

Does that seem right to you?

Also, I think the `created` timestamp is necessary for preventing replay attacks. It's pretty important!