Add WWW-Authenticate header for 401 responses

It might be helpful to users to include a WWW-Authenticate header in a 401 Unauthorised response that provides detail to clients about what authorisation tokens should be acquired before requests may be retried.

See RFC 6750, section 3.