I have been learning a lot here about REST APIs. I just came to the realization that there should not be a "login" included in a rest api. Keep in mind that I am not talking about the API login, that a programmer may include with the requests to the api. I am talking about end users. For instance, there would be no

https://api.mysite.com/users/login

or

https://api.mysite.com/users/authenticate

The reason why, is because the rest api shouldn't care about the state of the users, which are no different than any other records in the other db tables or resources. Whoever builds on top of the api can handle authentication how they see fit. So in your users table you might have a username,password, and hair_color. So you can make a api call like

method: GET
url: https://api.mysite.com/users
http body: {"username":"foo","password":"bar"}

to check for "login", which the api wouldn't treat any different than this request

method: GET
url: https://api.mysite.com/users
http body: {"hair_color":"red"}

They would both return responses with the exact same structure. Then it would be on the other programmers to determine what they wanted to do with the info, they could consider it an authentication for a login, or just a retrieval of information. In short, the api doesn't service end user login, or at least doesn't know that it is playing a role. Therefore you should never return a 401 if a username/password combo for an end-user is not valid and assume that a programmer is attempting to execute a login flow.

My main question is: Is my assumption and logic above correct?

My secondary question (very secondary) is: If so, would the only appropriate time to return a 401 response would be when "api user" (the other programmers) authentication falis?

EDIT

I do authenticate api users with http basic auth, by passing the username and password through the header. My questions are aimed solely at "login" for end users.