HTTP 401 Unauthorized or 403 Forbidden for a “disabled” user?

Question

An authentication service allows user accounts be disabled (a sort of soft-delete).

If the server then receives an authentication request for a disabled user that would

Answer 1

technically both are correct, it really comes down to how much you want to reveal.

returning a 401 says to the caller that the account isn't valid, which is correct, but if your api is then going to be called again to register a user with the same credentials that call would also fail. which might not be much use to the caller.

so, it really depends on how your api will be used and who/what the target audience is.