401 vs 403: what do you compare first in an API auth bug?

Asks which fields make API auth failures easier to separate without exposing tokens.

When an API auth bug flips between 401 and 403, I usually compare header presence, token age, issuer, audience, scope, resource owner, and environment before changing code. The hard part is giving teammates enough detail without pasting raw credentials into the ticket. What fields do you always include when reporting a 401 or 403 auth failure?