Yep, tested against several service providers. None return 403 for unauthorized.
They all return 401 for multiple reasons, unfortunately. So there are still some cases where we will delete a token that might not actually have been revoked. For example, most service providers can't distinguish between a token that has been revoked and a bad signature due to bug on our side. This is still better off than we were before. I made the switch to using constants in those places. http://codereview.appspot.com/154105
