A WWW-Authenticate header must be present in the 401 response to make clients know that they can authenticate, and how.