diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index d06344c0a..eaecc46b0 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -291,7 +291,11 @@ class ApplicationController < ActionController::Base
         end
         format.api do
           if Setting.rest_api_enabled? && accept_api_auth?
-            head(:unauthorized, 'WWW-Authenticate' => 'Basic realm="Redmine API"')
+            if api_key_from_request
+              head(:unauthorized)
+            else
+              head(:unauthorized, 'WWW-Authenticate' => 'Basic realm="Redmine API"')
+            end
           else
             head(:forbidden)
           end
diff --git a/test/integration/api_test/authentication_test.rb b/test/integration/api_test/authentication_test.rb
index b1b28d20c..76d74c309 100644
--- a/test/integration/api_test/authentication_test.rb
+++ b/test/integration/api_test/authentication_test.rb
@@ -44,6 +44,7 @@ class Redmine::ApiTest::AuthenticationTest < Redmine::ApiTest::Base
     end
     get '/users/current.xml', :headers => credentials(user.login, 'wrong_password')
     assert_response :unauthorized
+    assert response.headers.has_key?('WWW-Authenticate')
   end
 
   def test_api_should_deny_http_basic_auth_if_twofa_is_active
@@ -67,6 +68,7 @@ class Redmine::ApiTest::AuthenticationTest < Redmine::ApiTest::Base
     token = Token.create!(:user => user, :action => 'feeds') # not the API key
     get '/users/current.xml', :headers => credentials(token.value, 'X')
     assert_response :unauthorized
+    assert response.headers.has_key?('WWW-Authenticate')
   end
 
   def test_api_should_accept_auth_using_api_key_as_parameter
@@ -81,6 +83,7 @@ class Redmine::ApiTest::AuthenticationTest < Redmine::ApiTest::Base
     token = Token.create!(:user => user, :action => 'feeds') # not the API key
     get "/users/current.xml?key=#{token.value}"
     assert_response :unauthorized
+    assert_not response.headers.has_key?('WWW-Authenticate')
   end
 
   def test_api_should_accept_auth_using_api_key_as_request_header
@@ -95,6 +98,7 @@ class Redmine::ApiTest::AuthenticationTest < Redmine::ApiTest::Base
     token = Token.create!(:user => user, :action => 'feeds') # not the API key
     get "/users/current.xml", :headers => {'X-Redmine-API-Key' => token.value.to_s}
     assert_response :unauthorized
+    assert_not response.headers.has_key?('WWW-Authenticate')
   end
 
   def test_api_should_trigger_basic_http_auth_with_basic_authorization_header