For invalid user name and password combinations, the service should return a 400 HTTP status code, which means that the server received a bad request. The service could also use the 401 (unauthorized) response code, but that code specifies that authentication credentials need to be in the request header, which is not quite what is required. - Paul Dix