I think having "X-Requested-With:XMLHttpRequest" header present is in the right direction. In that case, the API responds with a JSON response (instead of html) that says that the call did not succeed (possibly providing further info e.g. redirect url OR error code). Then, you handle the case in the frontend e.g. provide the user with a login box and so on. Just my 2 cents.