diff --git a/node/jwt_handler.go b/node/jwt_handler.go
index 363f6b3aad..637ae19686 100644
--- a/node/jwt_handler.go
+++ b/node/jwt_handler.go
@@ -51,7 +51,7 @@ func (handler *jwtHandler) ServeHTTP(out http.ResponseWriter, r *http.Request) {
 		strToken = strings.TrimPrefix(auth, "Bearer ")
 	}
 	if len(strToken) == 0 {
-		http.Error(out, "missing token", http.StatusForbidden)
+		http.Error(out, "missing token", http.StatusUnauthorized)
 		return
 	}
 	// We explicitly set only HS256 allowed, and also disables the
@@ -63,17 +63,17 @@ func (handler *jwtHandler) ServeHTTP(out http.ResponseWriter, r *http.Request) {
 
 	switch {
 	case err != nil:
-		http.Error(out, err.Error(), http.StatusForbidden)
+		http.Error(out, err.Error(), http.StatusUnauthorized)
 	case !token.Valid:
-		http.Error(out, "invalid token", http.StatusForbidden)
+		http.Error(out, "invalid token", http.StatusUnauthorized)
 	case !claims.VerifyExpiresAt(time.Now(), false): // optional
-		http.Error(out, "token is expired", http.StatusForbidden)
+		http.Error(out, "token is expired", http.StatusUnauthorized)
 	case claims.IssuedAt == nil:
-		http.Error(out, "missing issued-at", http.StatusForbidden)
+		http.Error(out, "missing issued-at", http.StatusUnauthorized)
 	case time.Since(claims.IssuedAt.Time) > jwtExpiryTimeout:
-		http.Error(out, "stale token", http.StatusForbidden)
+		http.Error(out, "stale token", http.StatusUnauthorized)
 	case time.Until(claims.IssuedAt.Time) > jwtExpiryTimeout:
-		http.Error(out, "future token", http.StatusForbidden)
+		http.Error(out, "future token", http.StatusUnauthorized)
 	default:
 		handler.next.ServeHTTP(out, r)
 	}
diff --git a/node/rpcstack_test.go b/node/rpcstack_test.go
index 1e9b835bf3..6602aebd4f 100644
--- a/node/rpcstack_test.go
+++ b/node/rpcstack_test.go
@@ -412,7 +412,7 @@ func TestJWT(t *testing.T) {
 
 		token = tokenFn()
 		resp := rpcRequest(t, htUrl, testMethod, "Authorization", token)
-		if resp.StatusCode != http.StatusForbidden {
+		if resp.StatusCode != http.StatusUnauthorized {
 			t.Errorf("tc %d-http, token '%v': expected not to allow,  got %v", i, token, resp.StatusCode)
 		}
 	}