diff --git a/lib/error.js b/lib/error.js
index 834e423b9..4b0bf58f8 100644
--- a/lib/error.js
+++ b/lib/error.js
@@ -90,7 +90,7 @@ AppError.unknownClient = function unknownClient(clientId) {
 
 AppError.incorrectSecret = function incorrectSecret(clientId) {
   return new AppError({
-    code: 401,
+    code: 400,
     error: 'Bad Request',
     errno: 102,
     message: 'Incorrect secret'
@@ -112,7 +112,7 @@ AppError.incorrectRedirect = function incorrectRedirect(uri) {
 
 AppError.invalidAssertion = function invalidAssertion() {
   return new AppError({
-    code: 400,
+    code: 401,
     error: 'Bad Request',
     errno: 104,
     message: 'Invalid assertion'
diff --git a/test/api.js b/test/api.js
index f045b53fa..e03dd5c4e 100644
--- a/test/api.js
+++ b/test/api.js
@@ -337,7 +337,7 @@ describe('/v1', function() {
           url: '/authorization',
           payload: authParams()
         }).then(function(res) {
-          assert.equal(res.result.code, 400);
+          assert.equal(res.result.code, 401);
           assert.equal(res.result.message, 'Invalid assertion');
         }).done(done, done);
       });
@@ -631,7 +631,7 @@ describe('/v1', function() {
             code: unique.code().toString('hex')
           }
         }).then(function(res) {
-          assert.equal(res.statusCode, 401);
+          assert.equal(res.statusCode, 400);
           assert.equal(res.result.message, 'Incorrect secret');
         }).done(done, done);
       });