These currently return a 403/401 response, depending on whether the
user was authenticated or not.

We want to verify this behaviour in specs to ensure
backwards-compatibility.