You have status codes, you should use them :)
To me the developer hasn't designed correctly the APIs, since it should have used status codes as you suggested.
Hence if the request has a:
- Valid Token:
- Status code:
200; - Body: not needed;
- Malformed (or missing) Token:
- Status code:
400; - Body: JSON message providing informations about what was wrong in the input.
{"errno": X, "error": "<error-message>"};
- Token valid but not authorized
- Status code:
401; - Body: not needed.