Revoked API token authenticates as anonymous access

  1. When I use wrong (non-existing) API token (e.g. mistype), API returns standard 401 error.
  2. When I use revoked token, then API switches to anonymous access.
  3. When I use valid token with another email address - e.g. userX token for userY email, then API switches to anonymous access.

The behaviour should be same - API should return 401 for any invalid API token, does not matter if it is revoked or used with wrong email.

See also

Update: One more problem. When a user is suspended (revoked) from the project, then API returns 401 properly, but the body is HTML error unlike the plain text error message when wrong token is typed.

Update 2024: See also Wrong REST API token authenticates returns HTTP 404 error instead of 401