Explorer API returns HTTP 403 forbidden for non-existent resources

[adamretter]

When accessing a resource that does not exist via the /explorer API, we should we return HTTP 403 or HTTP 404. Arguable 403 is more secure, but perhaps misleading... we need to give this some thought.

[duncdrum]

has thought been given? 403 seems the better choice to me, not sure how it is misleading because the /explorer endpoint is there?

[adamretter]

I think that if the user is authorized and the resource does not exist then the response should be 404, if the user is not authorized that takes priority and the response should be 403