HTTP 403 responses do not include the WWW-Authenticate header. uses HTTP Basic Authentication, signed against a user's username and password. . If you're using an AJAX style API with SessionAuthentication, you'll need to make . able to authenticate users based on external tokens (e.g. facebook access token), .