diff --git a/app/controllers/auth_controller.rb b/app/controllers/auth_controller.rb
index 9666d2e..eeb4b39 100644
--- a/app/controllers/auth_controller.rb
+++ b/app/controllers/auth_controller.rb
@@ -3,6 +3,20 @@
 class AuthController < ApplicationController
   ERR_TICKET_MISMATCH = 'Ticket from callback URL parameter does not match credential from OmniAuth hash'.freeze
 
+  def failure
+    error = {
+      errors: [
+        {
+          status: '401',
+          title: 'Authentication failed',
+          detail: 'Authentication failed'
+        }
+      ]
+    }
+
+    render json: error, status: :unauthorized, content_type: JSONAPI::MEDIA_TYPE
+  end
+
   def callback
     logger.debug({ msg: 'Received omniauth callback', omniauth: auth_hash, params: params.to_unsafe_h })
 
diff --git a/config/routes.rb b/config/routes.rb
index 49eed0e..704e35d 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -2,6 +2,7 @@
 
   direct(:login) { '/auth/calnet' } # convenience to provide login_url helper
   get '/logout', to: 'auth#logout', as: :logout
+  get '/auth/failure', to: 'auth#failure'
   get '/auth/:provider/callback', to: 'auth#callback', as: :omniauth_callback
 
   scope module: 'preview' do
diff --git a/spec/requests/auth_spec.rb b/spec/requests/auth_spec.rb
index 02162ab..3c11d80 100644
--- a/spec/requests/auth_spec.rb
+++ b/spec/requests/auth_spec.rb
@@ -47,6 +47,18 @@
     end
   end
 
+  describe 'GET /auth/failure' do
+    it 'returns a JSON authentication failure response' do
+      get '/auth/failure'
+
+      expect(response).to have_http_status(:unauthorized)
+      expect(response.content_type).to start_with(JSONAPI::MEDIA_TYPE)
+
+      parsed = JSON.parse(response.body)
+      expect(parsed['errors'].first['detail']).to eq('Authentication failed')
+    end
+  end
+
   # NOTE: In effect we're just testing omniauth-cas here, but with
   #       app-specific configuration and CalNet-specific data, to
   #       be completely sure we know what we're doing