Recently I've got into an argument with a colleague in regards to what HTTP status to return.
The way our API works right now: you need to be authenticated to call any route except the ones which are explicitly configured as public. This means that if you call any endpoint (doesn't matter if it exists or not) without a token, you will get a 401 response. If you call a non-existing endpoint with a valid token, only then it returns 404.
My colleague says that it should be the other way around and we should first check if the route exists and only then validate the token.
What's your opinion on this issue? I've seen it done both ways and I don't have a problem with either approach, but I am leaning more towards returning 401 before 404, because unauthenticated calls shouldn't reveal whether endpoint exists or not.