Problem with HTTP Basic Authorization and certain object types

I can successfully use HTTP Basic Authorization to get the the /api/server endpoint.

However, when I try to access /api/devices?all=true I get a 401 Unauthorized response with text WebApplicationException (SecurityRequestFilter:113 < ...). However, I am definitely sending a Authorization: Basic ... header because I'm using the the same client object that worked to get the server details.

Server endpoint don't require any authorization.

The confusion on my part occurred because in the HTTP standard, there doesn't appear to be a semantic difference between the response when no Authorization header is supplied, vs. the response for an invalid password. And due to a server misconfiguration, the latter scenario was occurring when I thought it was the former.