In accordance with the Consumer Data Standards (CDS), if an API is invoked by an Accredited Data Recipient (ADR), but the consent has been withdrawn or canceled, then which error code should be returned by the Data Holder (DH)? 401 Unauthorised or 403 Forbidden?
This is covered by the upstream oAuth standards. If the consent has been withdrawn then the refresh token has been revoked and no access token is issued by the Data Holder. This is an authorisation error with a corresponding oAuth error response. A 401 Unauthorised Error with a corresponding oAuth error response should be returned.