Hi Bruno, when issuing a HTTP request against a protected resource (I am not logged in), I am getting 401 (fine), but I don't see a 'WWW-Authenticate' header on the response. I also don't see any info on this in the security roadmap (see [1]). Was there a special reason to leave it out? I ask b/c usually that header is sent for basic, digest or even oauth on the response header. Thanks, Matthias [1] http://staging.aerogear.org/docs/planning/1.0.0/AeroGearSecurity/ -- Matthias Wessendorf blog: http://matthiaswessendorf.wordpress.com/ sessions: http://www.slideshare.net/mwessendorf twitter: http://twitter.com/mwessendorf