401 means the access token is
missing or expired: refresh it, then reconnect the user if the refresh also fails. A 403
means the call is not permitted and carries an error field: insufficient_scope (re-run the
authorize step requesting read:client-accounts) or forbidden (the connected user is not
eligible or lacks permission, which reconnecting will not fix). The 400 and 403 responses
carry an { error, message } body, and a 401 is an empty bearer challenge with no body. See
Authentication Details for the full model.
