Have a code, where you can really describe the error; try to use the correct HTTP status (your example doesn't); don't ever use status 200 for errors; and finally, have an "error" key set to something somewhere (I'd write the error code to it).
The message is optional.
So, the simplest version would be:
HTTP/1.1 401 POST /endpoint
{
"error": "UNAUTHORIZED"
}
Status 200 for errors is common for non-REST HTTP APIs. An application error isn't an HTTP error, the request and response were both handled successfully.