diff --git a/supervisor/api/auth.py b/supervisor/api/auth.py
index 9b194054b..7fc132e1c 100644
--- a/supervisor/api/auth.py
+++ b/supervisor/api/auth.py
@@ -49,7 +49,10 @@ class APIAuth(CoreSysAttributes):
 
         Return a coroutine.
         """
-        auth = BasicAuth.decode(request.headers[AUTHORIZATION])
+        try:
+            auth = BasicAuth.decode(request.headers[AUTHORIZATION])
+        except ValueError as err:
+            raise HTTPUnauthorized(headers=REALM_HEADER) from err
         return self.sys_auth.check_login(addon, auth.login, auth.password)
 
     def _process_dict(
diff --git a/tests/api/test_auth.py b/tests/api/test_auth.py
index 7d83cf62a..315809e1a 100644
--- a/tests/api/test_auth.py
+++ b/tests/api/test_auth.py
@@ -330,6 +330,18 @@ async def test_auth_basic_auth_failure(
     assert resp.status == 401
 
 
+@pytest.mark.parametrize("api_client", [TEST_ADDON_SLUG], indirect=True)
+async def test_auth_bearer_token_returns_401(
+    api_client: TestClient, install_addon_ssh: Addon
+):
+    """Test that a Bearer token in Authorization header returns 401, not 500."""
+    resp = await api_client.post(
+        "/auth", headers={"Authorization": "Bearer sometoken123"}
+    )
+    assert "Basic realm" in resp.headers[WWW_AUTHENTICATE]
+    assert resp.status == 401
+
+
 @pytest.mark.parametrize("api_client", ["local_example"], indirect=True)
 async def test_auth_addon_no_auth_access(
     api_client: TestClient, install_addon_example: Addon