When sending requests against the API module with a non existing token, the HTTP response should be 403. Not 200.
When sending a request with a non existing token, response code should be 403
Response code is 200
curl -ik 'https://matomo.example.com/index.php?module=API&method=API.getMatomoVersion&token_auth=I_DONT_EXIST'
Thanks for your suggestion. You are right, I guess it would make sense to return a proper response code in this case.
This one we might want to do in Matomo 5.0 just because it's kind of a breaking change. We're using some of these URLs with invalid token in some monitoring tools ourselves and we'd get paged if there's a change and it's no longer HTTP 2XX.
It could also cause issues potentially with the Matomo Mobile app and possibly other apps etc when someone is trying to log in with wrong username/password.