document status codes correctly

2 files changed, 10 insertions, 7 deletions

diff --git a/core/api-exchange.rst b/core/api-exchange.rst
index af1c5096..bc6a98d5 100644
--- a/core/api-exchange.rst
+++ b/core/api-exchange.rst
@@ -93,12 +93,15 @@ possibly by using HTTPS.
   **Request:**
 
   :query last_issue_date: optional argument specifying the maximum value of any of the "stamp_start" members of the denomination keys of a "/keys" response that is already known to the client. Allows the exchange to only return keys that have changed since that timestamp.  The given value must be an unsigned 64-bit integer representing seconds after 1970.  If the timestamp does not exactly match the "stamp_start" of one of the denomination keys, all keys are returned.
+  :query now: request that the exchange answer the request as if the current time were the value given in "now".  The given value must be an unsigned 64-bit integer representing seconds after 1970.  This option is used for testing, and in production is likely not supported. 
 
   **Response:**
 
   :status 200 OK:
     The exchange responds with a `ExchangeKeysResponse` object. This request should
     virtually always be successful.
+  :status 403 Forbidden:
+    The client specified the "now" argument, but the exchange does not allow this option as per its configuration.
 
   **Details:**
 
@@ -528,7 +531,8 @@ exchange.
     will again yield the same response, so if the network goes down during the
     transaction or before the client can commit the coin signature to disk, the
     coin is not lost.
-  :status 401 Unauthorized: The signature is invalid.
+  :status 403 Forbidden:
+    The signature is invalid.
   :status 404 Not Found:
     The denomination key or the reserve are not known to the exchange.  If the
     denomination key is unknown, this suggests a bug in the wallet as the
@@ -857,11 +861,11 @@ the API during normal operation.
   exchange. The exchange MUST return a 307 or 308 redirection to the correct
   base URL if this is the case.
 
-  :status 401 Unauthorized:
-    One of the signatures is invalid.
   :status 200 OK:
     The request was successful.  The response body is `MeltResponse` in this case.
-  :status 404:
+  :status 403 Forbidden:
+    One of the signatures is invalid.
+  :status 404 Not found:
     the exchange does not recognize the denomination key as belonging to the exchange,
     or it has expired
   :status 409 Conflict:
diff --git a/core/api-merchant.rst b/core/api-merchant.rst
index a1c99038..809bcbf1 100644
--- a/core/api-merchant.rst
+++ b/core/api-merchant.rst
@@ -657,7 +657,7 @@ Payment processing
     :ts:type:`PostOrderResponse`.
   :status 404 Not found:
     The order given used products from the inventory, but those were not found
-    in the inventory.  Or the merchant instance is unknown.  Details in the
+    in the inventory.  Or the merchant instance is unknown (including possibly the instance being not configured for new orders).  Details in the
     error code. NOTE: no good way to find out which product is not in the
     inventory, we MAY want to specify that in the reply.
   :status 409 Conflict:
@@ -932,8 +932,7 @@ Payment processing
   :status 403 Forbidden:
     One of the coin signatures was not valid.
   :status 404 Not found:
-    The merchant backend could not find the order or the instance
-    and thus cannot process the payment.
+    The merchant backend could not find the order or the instance and thus cannot process the payment.
   :status 406 Not Acceptable:
     The payment is insufficient (sum is below the required total amount).
   :status 408 Request Timeout: