This is a conceptual question.

I have a client (mobile) application which needs to support a login action against a RESTful web service. Because the web service is RESTful, this amounts to the client accepting a username/password from the user, verifying that username/password with the service, and then just remembering to send that username/password with all subsequent requests.

All other responses in this web service are provided in a JSON format.

The question is, when I query the web service simply to find out whether a given username/password are valid, should the web service always respond with JSON data telling me its successful or unsuccessful, or should it return HTTP 200 on good credentials and HTTP 401 on bad credentials.

The reason I ask is that some other RESTful services use 401 for bad credentials even when you’re just asking if the credentials are valid. However, my understanding of 401 responses are that they represent a resource that you are not supposed to have access to without valid credentials. But the login resource SHOULD be accessible to anyone because the entire purpose of the login resource is to tell you if your credentials are valid.

Put another way, it seems to me that a request like:

myservice.com/this/is/a/user/action 

should return 401 if bad credentials are provided. But a request like:

myservice.com/are/these/credentials/valid

should never return 401 because that particular URL (request) is authorized with or without valid credentials.

I’d like to hear some justified opinions one way or the other on this. What is the standard way of handling this, and is the standard way of handling this logically appropriate?