diff --git a/go/vt/proto/vtrpc/vtrpc.pb.go b/go/vt/proto/vtrpc/vtrpc.pb.go
index 7a8c8a7cd6..500a88b8e5 100644
--- a/go/vt/proto/vtrpc/vtrpc.pb.go
+++ b/go/vt/proto/vtrpc/vtrpc.pb.go
@@ -88,6 +88,9 @@ const (
 	// 1. Query has been throttled
 	// 2. VtGate could have request backlog
 	ErrorCode_TRANSIENT_ERROR ErrorCode = 11
+	// UNAUTHENTICATED errors are returned when a user requests access to something,
+	// and we're unable to verify the user's authentication.
+	ErrorCode_UNAUTHENTICATED ErrorCode = 12
 )
 
 var ErrorCode_name = map[int32]string{
@@ -103,6 +106,7 @@ var ErrorCode_name = map[int32]string{
 	9:  "NOT_IN_TX",
 	10: "INTERNAL_ERROR",
 	11: "TRANSIENT_ERROR",
+	12: "UNAUTHENTICATED",
 }
 var ErrorCode_value = map[string]int32{
 	"SUCCESS":            0,
@@ -117,6 +121,7 @@ var ErrorCode_value = map[string]int32{
 	"NOT_IN_TX":          9,
 	"INTERNAL_ERROR":     10,
 	"TRANSIENT_ERROR":    11,
+	"UNAUTHENTICATED":    12,
 }
 
 func (x ErrorCode) String() string {
diff --git a/go/vt/tabletserver/query_executor.go b/go/vt/tabletserver/query_executor.go
index e89a469212..3c2bd3de6b 100644
--- a/go/vt/tabletserver/query_executor.go
+++ b/go/vt/tabletserver/query_executor.go
@@ -220,7 +220,7 @@ func (qre *QueryExecutor) checkPermissions() error {
 	callerID := callerid.ImmediateCallerIDFromContext(qre.ctx)
 	if callerID == nil {
 		if qre.qe.strictTableAcl {
-			return NewTabletError(ErrFail, "missing caller id")
+			return NewTabletError(ErrFail, vtrpc.ErrorCode_UNAUTHENTICATED, "missing caller id")
 		}
 		return nil
 	}
@@ -231,7 +231,7 @@ func (qre *QueryExecutor) checkPermissions() error {
 		return nil
 	}
 	if qre.plan.Authorized == nil {
-		return NewTabletError(ErrFail, "table acl error: nil acl")
+		return NewTabletError(ErrFail, vtrpc.ErrorCode_PERMISSION_DENIED, "table acl error: nil acl")
 	}
 	tableACLStatsKey := []string{
 		qre.plan.TableName,
diff --git a/proto/vtrpc.proto b/proto/vtrpc.proto
index 95be20db2e..af7b928890 100644
--- a/proto/vtrpc.proto
+++ b/proto/vtrpc.proto
@@ -111,6 +111,10 @@ enum ErrorCode {
   // 1. Query has been throttled
   // 2. VtGate could have request backlog
   TRANSIENT_ERROR = 11;
+
+  // UNAUTHENTICATED errors are returned when a user requests access to something,
+  // and we're unable to verify the user's authentication.
+  UNAUTHENTICATED = 12;
 }
 
 // ErrorCodeDeprecated is the enum values for Errors. These are deprecated errors, we
diff --git a/py/vtproto/vtrpc_pb2.py b/py/vtproto/vtrpc_pb2.py
index d123bb7a61..bc2d5d6e27 100644
--- a/py/vtproto/vtrpc_pb2.py
+++ b/py/vtproto/vtrpc_pb2.py
@@ -19,7 +19,7 @@ _sym_db = _symbol_database.Default()
 DESCRIPTOR = _descriptor.FileDescriptor(
   name='vtrpc.proto',
   package='vtrpc',
-  serialized_pb=_b('\n\x0bvtrpc.proto\x12\x05vtrpc\"F\n\x08\x43\x61llerID\x12\x11\n\tprincipal\x18\x01 \x01(\t\x12\x11\n\tcomponent\x18\x02 \x01(\t\x12\x14\n\x0csubcomponent\x18\x03 \x01(\t\"E\n\x08RPCError\x12(\n\x04\x63ode\x18\x01 \x01(\x0e\x32\x1a.vtrpc.ErrorCodeDeprecated\x12\x0f\n\x07message\x18\x02 \x01(\t*\xf2\x01\n\tErrorCode\x12\x0b\n\x07SUCCESS\x10\x00\x12\r\n\tCANCELLED\x10\x01\x12\x11\n\rUNKNOWN_ERROR\x10\x02\x12\r\n\tBAD_INPUT\x10\x03\x12\x15\n\x11\x44\x45\x41\x44LINE_EXCEEDED\x10\x04\x12\x13\n\x0fINTEGRITY_ERROR\x10\x05\x12\x15\n\x11PERMISSION_DENIED\x10\x06\x12\x16\n\x12RESOURCE_EXHAUSTED\x10\x07\x12\x14\n\x10QUERY_NOT_SERVED\x10\x08\x12\r\n\tNOT_IN_TX\x10\t\x12\x12\n\x0eINTERNAL_ERROR\x10\n\x12\x13\n\x0fTRANSIENT_ERROR\x10\x0b*x\n\x13\x45rrorCodeDeprecated\x12\x0b\n\x07NoError\x10\x00\x12\x10\n\x0bTabletError\x10\xe8\x07\x12\x17\n\x12UnknownTabletError\x10\xcf\x0f\x12\x10\n\x0bVtgateError\x10\xd0\x0f\x12\x17\n\x12UnknownVtgateError\x10\xb7\x17\x42\x1a\n\x18\x63om.youtube.vitess.protob\x06proto3')
+  serialized_pb=_b('\n\x0bvtrpc.proto\x12\x05vtrpc\"F\n\x08\x43\x61llerID\x12\x11\n\tprincipal\x18\x01 \x01(\t\x12\x11\n\tcomponent\x18\x02 \x01(\t\x12\x14\n\x0csubcomponent\x18\x03 \x01(\t\"E\n\x08RPCError\x12(\n\x04\x63ode\x18\x01 \x01(\x0e\x32\x1a.vtrpc.ErrorCodeDeprecated\x12\x0f\n\x07message\x18\x02 \x01(\t*\x87\x02\n\tErrorCode\x12\x0b\n\x07SUCCESS\x10\x00\x12\r\n\tCANCELLED\x10\x01\x12\x11\n\rUNKNOWN_ERROR\x10\x02\x12\r\n\tBAD_INPUT\x10\x03\x12\x15\n\x11\x44\x45\x41\x44LINE_EXCEEDED\x10\x04\x12\x13\n\x0fINTEGRITY_ERROR\x10\x05\x12\x15\n\x11PERMISSION_DENIED\x10\x06\x12\x16\n\x12RESOURCE_EXHAUSTED\x10\x07\x12\x14\n\x10QUERY_NOT_SERVED\x10\x08\x12\r\n\tNOT_IN_TX\x10\t\x12\x12\n\x0eINTERNAL_ERROR\x10\n\x12\x13\n\x0fTRANSIENT_ERROR\x10\x0b\x12\x13\n\x0fUNAUTHENTICATED\x10\x0c*x\n\x13\x45rrorCodeDeprecated\x12\x0b\n\x07NoError\x10\x00\x12\x10\n\x0bTabletError\x10\xe8\x07\x12\x17\n\x12UnknownTabletError\x10\xcf\x0f\x12\x10\n\x0bVtgateError\x10\xd0\x0f\x12\x17\n\x12UnknownVtgateError\x10\xb7\x17\x42\x1a\n\x18\x63om.youtube.vitess.protob\x06proto3')
 )
 _sym_db.RegisterFileDescriptor(DESCRIPTOR)
 
@@ -77,11 +77,15 @@ _ERRORCODE = _descriptor.EnumDescriptor(
       name='TRANSIENT_ERROR', index=11, number=11,
       options=None,
       type=None),
+    _descriptor.EnumValueDescriptor(
+      name='UNAUTHENTICATED', index=12, number=12,
+      options=None,
+      type=None),
   ],
   containing_type=None,
   options=None,
   serialized_start=166,
-  serialized_end=408,
+  serialized_end=429,
 )
 _sym_db.RegisterEnumDescriptor(_ERRORCODE)
 
@@ -115,8 +119,8 @@ _ERRORCODEDEPRECATED = _descriptor.EnumDescriptor(
   ],
   containing_type=None,
   options=None,
-  serialized_start=410,
-  serialized_end=530,
+  serialized_start=431,
+  serialized_end=551,
 )
 _sym_db.RegisterEnumDescriptor(_ERRORCODEDEPRECATED)
 
@@ -133,6 +137,7 @@ QUERY_NOT_SERVED = 8
 NOT_IN_TX = 9
 INTERNAL_ERROR = 10
 TRANSIENT_ERROR = 11
+UNAUTHENTICATED = 12
 NoError = 0
 TabletError = 1000
 UnknownTabletError = 1999