Requests made w/o a proper access token return 401 rather than 403

All unauthorized status codes returned by Spring security are 401 - UnAuthorized. 

The documentation indicates a 403 - Forbidden should be returned. Which is right?

(I'm thinking all the 403's should be changed to 401's and that the ESPI documentation, if any, should indicate a 401 be returned)
