Hi, using ktor client there is no body when we get a 401. There is a body if we change the api to return 400 for example. Is there a reason for this?

401

indicates to the client that it lacks authentication credentials for the requested resource; generally clients will use that response code, in combination with the WWW-Authenticate header in the response, to resend the request with authentication credentials (which may elicit a 403 Forbidden if the credentials are invalid). RFC. While the RFC is silent on whether a body is allowed or not, the specified semantics don’t facilitate processing a body as the client is to retry the request with authentication credentials. Anything beyond that is custom behaviour, assuming the http client could be customized to support that.

Either the server doesn't send the response body, or the body is consumed by the other part of the application.

https://www.rfc-editor.org/rfc/rfc9110.html#name-client-error-4xx

the server SHOULD send a representation containing an explanation of the error situation

the body is not mandatory but expected, especially when https://www.rfc-editor.org/rfc/rfc9110.html#name-401-unauthorized

the user agent SHOULD present the enclosed representation to the user

so IMO it's an issue if ktor doesn't allow you to do that