Does an HTTP status code 400 with Response "Invalid Credentials" Indicate the the HTTP Client Is Hitting the Endpoint

I have a simple HTTP client which needs to get a token from an endpoint external to my company. My belief is that the endpoint has been whitelisted for access, however my code returns BAD REQUEST. This is confused when I run the equivalent as a request via VSCode, which returns a response of:

400 Bad Request but qualified with the content:

{
"message": "Invalid credentials."
}

Which would seem to imply that the endpoint is being hit. Can anyone provide some insight into what is happening here.

Kind Regards
Paul J.

Simply because you got back a message doesn't necessarily mean you are reaching the specified endpoint. It is going to depend on the setup of the external web service.

For example, a web API that I work on and maintain uses AWS API Gateway with a AWS lambda token authorizer in front of it. All requests first go through this authorizer to see if they have valid credentials supplied. If not, the authorizer will return back a 401 Unauthorized message, not our actual web API that is trying to be reached. This is why you can't assume you are actually reaching the API with a test like this, since its not clear if the service itself it performing the validations, or something else.

You can sort of test this by trying some bogus endpoints out and seeing what you get as a response. If you try a valid endpoint you know exists and then a bogus one that doesn't exist, if you get back the same 400 { "message": "Invalid credentials." } response, you can say with some confidence that you aren't actually reaching the API itself, but rather something in front it (its not guaranteed though since again, it depends on how the external service is configured).