I just figured out, that the API responds with an 401 for the case the authentication is fine (regarding key/secret) but the API-Access hasn't been granted.
Easy to reproduce: just not allow the user/group access to
Type Name
GUI System: Firmware
https://docs.opnsense.org/development/how-tos/api.html
=> the API responds with an 401 ({"status":401,"message":"Authentication Failed"})
That's IMHO not the best solution possible according to https://www.rfc-editor.org/rfc/rfc7235.html (https://www.rfc-editor.org/rfc/rfc7235.html):
A server that receives valid credentials that are not adequate to gain access ought to respond with the
403 (Forbidden) status code.