HTTP 401 Unauthorized if HTTP basic auth is not used?

When creating a REST API that does not use HTTP authentication (but something like api-key) and the client provides invalid credentials, what HTTP status code should you return? 401 Unauthorized or 403 Prohibited?

The IANA HTTP Status Code Registry lists RFC7235, section 3.1, as responsible for the “401 Unauthorized”, which states:

A server generating a 401 response MUST send a WWW-Authenticate header field

Does this mean that the REST API should ever return 401 when using basic HTTP authentication, but not when, for example, using authentication through an api key?

Django seems to agree:

HTTP 401 responses should always include the WWW-Authenticate header, which instructs the client how to authenticate. HTTP 403 responses do not include the WWW-Authenticate header.

The type of response that will be used depends on the authentication scheme.

So far, Richardson seems to disagree:

401 ("Unauthorized")
Importance: high.
The client tried to work on a secure resource without providing the correct credentials. Perhaps they provided the wrong credentials, or nothing at all. Credentials can be a username and password, an API key, or token authentication - regardless of the service expected. It is common for the client to make a request for the URI and accept 401 so that he knows which credentials to send and in what format. [...]