diff --git a/src/Altinn.Broker.API/Helpers/JWTBearerEventsHelper.cs b/src/Altinn.Broker.API/Helpers/JWTBearerEventsHelper.cs
index 80750528..09704a2d 100644
--- a/src/Altinn.Broker.API/Helpers/JWTBearerEventsHelper.cs
+++ b/src/Altinn.Broker.API/Helpers/JWTBearerEventsHelper.cs
@@ -8,8 +8,8 @@ public static Task OnAuthenticationFailed(AuthenticationFailedContext context)
     {
         context.Response.StatusCode = StatusCodes.Status401Unauthorized;
         context.Response.ContentType = "application/json";
-        context.Response.Headers.Append("WWW-Authenticate", context.Options.Challenge + " error=\"invalid_token\", error_description=\"" + context.Exception.Message + "\"");
-        string err = "";
+        context.Response.Headers.Append("WWW-Authenticate", context.Options.Challenge + " error=\"invalid_token\"");
+        string err = context.Exception.Message;
         if (context.Exception is SecurityTokenInvalidIssuerException)
         {
             context.Response.StatusCode = StatusCodes.Status403Forbidden;
diff --git a/src/Altinn.Broker.API/Program.cs b/src/Altinn.Broker.API/Program.cs
index 59be2792..fbe7be99 100644
--- a/src/Altinn.Broker.API/Program.cs
+++ b/src/Altinn.Broker.API/Program.cs
@@ -130,7 +130,10 @@ static void ConfigureServices(IServiceCollection services, IConfiguration config
                 OnAuthenticationFailed = context => JWTBearerEventsHelper.OnAuthenticationFailed(context),
                 OnChallenge = c =>
                 {
-                    c.HandleResponse();
+                    if (c.AuthenticateFailure != null)
+                    {
+                        c.HandleResponse();
+                    }
                     return Task.CompletedTask;
                 }
             };