WWW-Authenticate is a requirement of HTTP itself, not Basic Auth. Returning 401 without this header (which API Gateway does) violates RFC 7235. It is the means by which HTTP negotiates an authentication protocol; without it, there is no way for authentication to proceed except by guessing.