I suppose you are using Apache for the web server. Please take a look at the 'CGIPassAuth On' option, I believe this may be part of your problem. Specifically, in the <Directory "/usr/share/koha/api"> section of the /etc/koha/apache-shared-intranet.conf file.
It is possible that your program needs to watch for the auth failure message, and try to do something like Basic Authentication with the client id and secret when it sees that message.
Devs,
Perhaps the CGIPassAuth option needs to be added as part of Koha's Apache config in the file I mention above?