Its not a dumb question! you are right about the response code 400. Here this application is set to give 400 status code for wrong credentials and 429 for too many attempts. So as per the logic of application if the application is receiving wrong cred it will respond with bad request response code.