diff --git a/backend/server/auth.go b/backend/server/auth.go
index 08c4861..5cb4b3e 100644
--- a/backend/server/auth.go
+++ b/backend/server/auth.go
@@ -2,6 +2,7 @@ package server
 
 import (
 	"context"
+	"fmt"
 	"net/http"
 
 	"codeberg.org/u1f320/pronouns.cc/backend/server/auth"
@@ -19,7 +20,13 @@ func (s *Server) maybeAuth(next http.Handler) http.Handler {
 
 		claims, err := s.Auth.Claims(token)
 		if err != nil {
-			// if we get here, a token was supplied but it's invalid--return an error
+			fmt.Printf("%q: %q\n", "Authorization", token)
+			render.Status(r, errCodeStatuses[ErrForbidden])
+			render.JSON(w, r, APIError{
+				Code:    ErrForbidden,
+				Message: errCodeMessages[ErrForbidden],
+			})
+			return
 		}
 
 		ctx := context.WithValue(r.Context(), ctxKeyClaims, claims)
diff --git a/backend/server/errors.go b/backend/server/errors.go
index 68108f1..5a37ff1 100644
--- a/backend/server/errors.go
+++ b/backend/server/errors.go
@@ -69,6 +69,7 @@ const (
 	// Login/authorize error codes
 	ErrInvalidState     = 1001
 	ErrInvalidOAuthCode = 1002
+	ErrInvalidToken     = 1003 // a token was supplied, but it is invalid
 
 	// User-related error codes
 	ErrUserNotFound = 2001
@@ -81,6 +82,7 @@ var errCodeMessages = map[int]string{
 
 	ErrInvalidState:     "Invalid OAuth state",
 	ErrInvalidOAuthCode: "Invalid OAuth code",
+	ErrInvalidToken:     "Supplied token was invalid",
 
 	ErrUserNotFound: "User not found",
 }
@@ -92,6 +94,7 @@ var errCodeStatuses = map[int]int{
 
 	ErrInvalidState:     http.StatusBadRequest,
 	ErrInvalidOAuthCode: http.StatusForbidden,
+	ErrInvalidToken:     http.StatusUnauthorized,
 
 	ErrUserNotFound: http.StatusNotFound,
 }