Feedback for “Security – OAS Tools”

[ShyMischief]

The handler function may return a result, typically the decoded token in case of HTTP Authentication. This result is saved to res.locals.oas.security. in order to make it available to controllers later in the execution.

When trying to implement some security handlers, this phrase in the documentation doesn't add a whole lot to go off of. If I want the authentication to fail there, do I throw an Error, return null/undefined, or some other combination?