Should you be returning 200's when an invalid token/secret is sent?

This is happening on the token being generated.
Also happening on query being run, just returns 200’s.