diff --git a/src/iam/router.py b/src/iam/router.py
index 2895baa..e360615 100644
--- a/src/iam/router.py
+++ b/src/iam/router.py
@@ -75,20 +75,20 @@ async def can_act_on_resource(valid_key: service_key_dependency, db: db_dependen
 		else:
 			return False
 	except Exception:
-		raise UnauthorizedException()
+		return False
 
 
 @router.get("/group/permissions", response_model=IAMGetGroupPermissionsResponse)
 async def get_group_permissions(group_model: group_model_query_dependency, org_model: org_model_root_claim_query_dependency):
 	if group_model.org_id != org_model.id:
-		raise UnauthorizedException()
+		raise UnauthorizedException("Group does not belong to this organization")
 	return {"permissions": group_model.permission_rel}
 
 
 @router.get("/group/users", response_model=IAMGetGroupUsersResponse)
 async def get_group_users(group_model: group_model_query_dependency, org_model: org_model_root_claim_query_dependency):
 	if group_model.org_id != org_model.id:
-		raise UnauthorizedException()
+		raise UnauthorizedException("User does not belong to this organization")
 	return {"users": group_model.user_rel}
 
 
@@ -110,7 +110,7 @@ async def create_group(db: db_dependency, org_model: org_model_root_claim_body_d
 @router.put("/group/permission", response_model=IAMPutGroupPermissionResponse)
 async def add_group_permission(db: db_dependency, group_model: group_model_body_dependency, perm_model: perm_model_body_dependency, org_model: org_model_root_claim_body_dependency, request_model: IAMPutGroupPermissionRequest):
 	if group_model.org_id != org_model.id:
-		raise UnauthorizedException()
+		raise UnauthorizedException("Group does not belong to this organization")
 
 	if perm_model in group_model.permission_rel:
 		raise ConflictException("Group already has this permission")
@@ -126,7 +126,7 @@ async def add_group_permission(db: db_dependency, group_model: group_model_body_
 @router.put("/group/user", response_model=IAMPutGroupUserResponse)
 async def add_group_user(db: db_dependency, group_model: group_model_body_dependency, user_model: user_model_body_dependency, org_model: org_model_root_claim_body_dependency, request_model: IAMPutGroupUserRequest):
 	if group_model.org_id != org_model.id:
-		raise UnauthorizedException()
+		raise UnauthorizedException("Group does not belong to this organization")
 
 	if user_model in group_model.user_rel:
 		raise ConflictException("User already in group")
@@ -141,7 +141,7 @@ async def add_group_user(db: db_dependency, group_model: group_model_body_depend
 @router.delete("/group/permissions")
 async def remove_group_permissions(db: db_dependency, group_model: group_model_body_dependency, perm_model: perm_model_body_dependency, org_model: org_model_root_claim_body_dependency, request_model: IAMDeleteGroupPermissionRequest):
 	if group_model.org_id != org_model.id:
-		raise UnauthorizedException()
+		raise UnauthorizedException("Group does not belong to this organization")
 
 	group_model.permission_rel.remove(perm_model)
 	db.flush()
@@ -154,7 +154,7 @@ async def remove_group_permissions(db: db_dependency, group_model: group_model_b
 @router.delete("/group/user")
 async def remove_group_user(db: db_dependency, group_model: group_model_body_dependency, user_model: user_model_body_dependency, org_model: org_model_root_claim_body_dependency, request_model: IAMDeleteGroupUserRequest):
 	if group_model.org_id != org_model.id:
-		raise UnauthorizedException()
+		raise UnauthorizedException("Group does not belong to this organization")
 
 	user_model.group_rel.remove(group_model)
 	db.flush()
diff --git a/src/iam/service.py b/src/iam/service.py
index b1d416b..d887bfd 100644
--- a/src/iam/service.py
+++ b/src/iam/service.py
@@ -9,6 +9,7 @@ from typing import Annotated
 from src.service.models import Service
 from src.database import db_dependency
 from src.schemas import ResourceName
+from src.auth.exceptions import UnauthorizedException
 
 from fastapi import HTTPException, status, Request, Depends
 
@@ -16,11 +17,11 @@ from fastapi import HTTPException, status, Request, Depends
 def valid_service_key(db: db_dependency, request: Request, rn: ResourceName) -> bool:
 	api_key = request.headers.get("X-API-Key", None)
 	if not api_key:
-		raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED)
+		raise UnauthorizedException("Missing API key")
 	service = rn.service
 	result = db.query(Service).filter(Service.name == service).filter(Service.api_key == api_key).first()
 	if result is None:
-		raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED)
+		raise UnauthorizedException("Invalid API key")
 
 	return True
 
diff --git a/test/test_auth_user.py b/test/test_auth_user.py
index e5ce189..c219dcb 100644
--- a/test/test_auth_user.py
+++ b/test/test_auth_user.py
@@ -8,7 +8,7 @@ from .conftest import no_user_client
 
 
 @pytest.mark.anyio
-async def test_get_self_db(no_user_client: AsyncClient):
+async def test_get_self_db_auth_user(no_user_client: AsyncClient):
 	resp = await no_user_client.get("/user/self/db")
 	assert resp.status_code != 422
 	assert resp.status_code == 401
@@ -16,7 +16,7 @@ async def test_get_self_db(no_user_client: AsyncClient):
 
 
 @pytest.mark.anyio
-async def test_post_org_success(no_user_client: AsyncClient):
+async def test_post_org_success_auth_user(no_user_client: AsyncClient):
 	resp = await no_user_client.post("/org", json={"name": "New Test Org"})
 	assert resp.status_code != 422
 	assert resp.status_code == 401