401 unless a verified principal is present.
401 if anonymous, else 403 unless the caller is admin.
401 if anonymous, else 403 unless the caller holds EVERY named scope.
401 unless a verified principal is present.