If you use HTTP authentication as defined by RFC 7235, 401 would be correct (for missing or incorrect credentials). Howewer you have to implement WWW-Authenticate header field.
Otherwise, use RFC 7231 6.5.3. 403 Forbidden.
Note though that 404 is also applicable as per the above link:
An origin server that wishes to “hide” the current existence of a
forbidden target resource MAY instead respond with a status code of
404 (Not Found).