diff --git a/src/container_orchestrator.rs b/src/container_orchestrator.rs
index fbbe177..5eacd0d 100644
--- a/src/container_orchestrator.rs
+++ b/src/container_orchestrator.rs
@@ -63,10 +63,16 @@ impl PublishedContainer {
     }
 }
 
-#[derive(Clone, Debug, Default, Deserialize, Serialize)]
+#[derive(Clone, Debug, Default, Deserialize, PartialEq, Serialize)]
 pub(crate) struct RuntimeConfig {
     #[serde(default)]
-    pub(crate) http_access: Option<HashMap<String, Secret<String>>>,
+    pub(crate) http: Http,
+}
+
+#[derive(Clone, Debug, Default, Deserialize, PartialEq, Serialize)]
+pub(crate) struct Http {
+    #[serde(default)]
+    pub(crate) access: Option<HashMap<String, Secret<String>>>,
 }
 
 impl IntoResponse for RuntimeConfig {
@@ -380,3 +386,35 @@ impl PortMapping {
         Some((ip, self.host_port).into())
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use std::collections::HashMap;
+
+    use sec::Secret;
+
+    use crate::container_orchestrator::Http;
+
+    use super::RuntimeConfig;
+
+    #[test]
+    fn can_parse_sample_configs() {
+        let example = r#"
+            [http]
+            access = { someuser = "somepw" }
+            "#;
+
+        let parsed: RuntimeConfig = toml::from_str(example).expect("should parse");
+
+        let mut pw_map = HashMap::new();
+        pw_map.insert("someuser".to_owned(), Secret::new("somepw".to_owned()));
+        assert_eq!(
+            parsed,
+            RuntimeConfig {
+                http: Http {
+                    access: Some(pw_map)
+                }
+            }
+        )
+    }
+}
diff --git a/src/registry.rs b/src/registry.rs
index d2af01e..8227228 100644
--- a/src/registry.rs
+++ b/src/registry.rs
@@ -512,7 +512,7 @@ mod tests {
         let tmp = TempDir::new("rockslide-test").expect("could not create temporary directory");
 
         let password = "random-test-password".to_owned();
-        let master_key = MasterKey::new_key(password.clone());
+        let master_key = Arc::new(MasterKey::new_key(password.clone()));
 
         let registry = ContainerRegistry::new(tmp.as_ref(), (), master_key)
             .expect("should not fail to create app");
diff --git a/src/reverse_proxy.rs b/src/reverse_proxy.rs
index 708ca64..a23e78c 100644
--- a/src/reverse_proxy.rs
+++ b/src/reverse_proxy.rs
@@ -297,7 +297,7 @@ async fn route_request(
             trace!(%dest, "reverse proxying");
 
             // First, check if http authentication is enabled.
-            if let Some(ref http_access) = config.http_access {
+            if let Some(ref http_access) = config.http.access {
                 let creds = request
                     .extract_parts::<UnverifiedCredentials>()
                     .await
@@ -310,7 +310,7 @@ async fn route_request(
                 if !http_access.check_credentials(&creds).await {
                     return Err(AppError::AuthFailure {
                         realm: "password protected container",
-                        status: StatusCode::FORBIDDEN,
+                        status: StatusCode::UNAUTHORIZED,
                     });
                 }
             }
@@ -371,7 +371,7 @@ async fn route_request(
             if !rp.auth_provider.check_credentials(&creds).await {
                 return Err(AppError::AuthFailure {
                     realm: "internal",
-                    status: StatusCode::FORBIDDEN,
+                    status: StatusCode::UNAUTHORIZED,
                 });
             }