authenticate_or_request_with_http_token returning html instead of json

By including ActionController::HttpAuthentication::Token::ControllerMethods you include several methods, amongst others request_http_token_authentication which is simply a wrapper around Token.authentication_request. That #authentication_request-method is the culprit and sends the plain text (not HTML as your question suggests) as follows:

def authentication_request(controller, realm)  controller.headers["WWW-Authenticate"] = %(Token realm="#{realm.gsub(/"/, "")}")  controller.__send__ :render, :text => "HTTP Token: Access denied.\n", :status => :unauthorizedend

The trick is to override request_http_token_authentication in your ApplicationController to not call Token.authentication_request but to set the correct status and headers and then render JSON instead. Add this to your ApplicationController:

protecteddef request_http_token_authentication(realm = "Application")  self.headers["WWW-Authenticate"] = %(Token realm="#{realm.gsub(/"/, "")}")  render :json => {:error => "HTTP Token: Access denied."}, :status => :unauthorizedend

From Rails 5, the authenticate_or_request_with_http_token method allows a second parameter with a custom message, so you could just do:

  authenticate_or_request_with_http_token('realm', json_error) do |token, options|    check_token token  end