diff --git a/lib/api/session.rb b/lib/api/session.rb
index 5bcdf93..b405016 100644
--- a/lib/api/session.rb
+++ b/lib/api/session.rb
@@ -8,14 +8,13 @@ module Gitlab
     post "/session" do
       resource = User.find_for_database_authentication(email: params[:email])
 
-      return forbidden! unless resource
+      return unauthorized! unless resource
 
       if resource.valid_password?(params[:password])
         present resource, with: Entities::UserLogin
       else
-        forbidden!
+        unauthorized!
       end
     end
   end
 end
-
diff --git a/spec/requests/api/session_spec.rb b/spec/requests/api/session_spec.rb
index 0809475..f251f39 100644
--- a/spec/requests/api/session_spec.rb
+++ b/spec/requests/api/session_spec.rb
@@ -19,7 +19,7 @@ describe Gitlab::API do
     context "when invalid password" do
       it "should return authentication error" do
         post api("/session"), email: user.email, password: '123'
-        response.status.should == 403
+        response.status.should == 401
 
         json_response['email'].should be_nil
         json_response['private_token'].should be_nil
@@ -29,7 +29,7 @@ describe Gitlab::API do
     context "when empty password" do
       it "should return authentication error" do
         post api("/session"), email: user.email
-        response.status.should == 403
+        response.status.should == 401
 
         json_response['email'].should be_nil
         json_response['private_token'].should be_nil
--
libgit2 0.21.2