When I provide a bad API key to the API, it (rightly) refuses to perform the operation, but (wrongly) responds with a 200 OK status. Why is this not a 401 Unauthorized? In order to verify that the response is not a failure, I have to read the body, parse it, and examine it just to find out that I gave a bad API key. Is this done on purpose?
The API is legacy, not sure how long it will stay this way … What sort of application are you using it for?