Inform the user about invalid (expired) personal access token during data download

[Steffengreiner]

Is your feature request related to a problem? Please describe.
If the user provides an invalid Personal Access Token (PAT) during data download via wget, the server will provide a non specific HTTP 403 response.

wget --content-disposition --trust-server-names --header "Authorization: Bearer <censored>" -i *_<input_measurements>.txt

Resolving <server>
Connecting to <server>:443... connected.
HTTP request sent, awaiting response... 403 
2025-12-16 14:07:15 ERROR 403: (no description).

Data Download via curl does not provide a direct response to the user, instead opting to only generate empty files in the download directory:

curl -OJ -H "Authorization: Bearer <censored>" https://<server>/measurements/<measurementId>

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0

Describe the solution you'd like
Ideally, the user is informed that the download failed due to an invalid personal access token.
This could be done via a 401 HTTP error response providing additional information in the www-authenticate attribute about the access token expiration in its response header.

Additionally, add the -v flag to the curl command in the raw data download documentation to ensure the user at least is informed if an error occured during data download

[sven1103]

According to https://www.rfc-editor.org/rfc/rfc2616#section-10.4.2, the correct status code here would be 401 - Unauthorized and the reason (token expired) can be provided in the "WWW-Authenticate" header:

If the request already included Authorization credentials, then the 401
response indicates that authorization has been refused for those
credentials

And relevant:

https://www.rfc-editor.org/rfc/rfc6750#section-3

If the protected resource request does not include authentication
credentials or does not contain an access token that enables access
to the protected resource, the resource server MUST include the HTTP
"WWW-Authenticate" response header field; it MAY include it in
response to other conditions as well. The "WWW-Authenticate" header
field uses the framework defined by HTTP/1.1 [RFC2617].

and the example:

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer realm="example",
error="invalid_token",
error_description="The access token expired"

[sven1103]

When working on this, the developer must check carefully the contract for the HTTP status codes.

401 => Authentication issues, e.g. missing or invalid token or expired token
403 => Authorization issues e.g. no authorized access for the requested resource