Typically, you’d send a 401 if the client can authenticate and solve the problem, but since you don’t provide a way to authenticate in the API, I’d suggest returning a 403 error (forbidden) instead. This won’t require the header and will indicate to the client that it is unable to access the service.