mod-authtoken returns headers in case of 403-type of errors, such as X-Okapi-Module-Tokens. This tricked Okapi to save them (
OKAPI-1037).. But in general, headers like these should not be returned in case of errors.
It can be spotted in code sections easily - as if the mod-authtoken deliberately wants to return that header always.