You should return a 401 Unauthorized
Status Code. You might additionally provide hypermedia to establish the token again
Think about what happens in a web app. You go to say a banking site. If not auth’d it will send you to the log in page. Then you log in and you are good to go for a time. Then it expires and the cycle repeats.
Just a thought.