If foreman receives an API request with no Authorization header, it should include the WWW-Authenticate header in the response. Not doing this prevents wget from understanding that it needs to reply with the header. (You can override this with --auth-no-challenge, but it's confusing).

See http://tools.ietf.org/html/rfc2617#section-3.2.1