diff --git a/.changeset/early-hornets-pay.md b/.changeset/early-hornets-pay.md
new file mode 100644
index 0000000000..25946a4361
--- /dev/null
+++ b/.changeset/early-hornets-pay.md
@@ -0,0 +1,5 @@
+---
+'@backstage/plugin-auth-node': minor
+---
+
+Ensure `getIdentity` throws an `AuthenticationError` instead of a `NotAllowed` error when authentication fails
diff --git a/plugins/auth-node/src/DefaultIdentityClient.ts b/plugins/auth-node/src/DefaultIdentityClient.ts
index a7946c77ff..499fc62929 100644
--- a/plugins/auth-node/src/DefaultIdentityClient.ts
+++ b/plugins/auth-node/src/DefaultIdentityClient.ts
@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 import { PluginEndpointDiscovery } from '@backstage/backend-common';
-import { AuthenticationError, NotAllowedError } from '@backstage/errors';
+import { AuthenticationError } from '@backstage/errors';
 import {
   createRemoteJWKSet,
   decodeJwt,
@@ -86,7 +86,7 @@ export class DefaultIdentityClient implements IdentityApi {
         getBearerTokenFromAuthorizationHeader(request.headers.authorization),
       );
     } catch (e) {
-      throw new NotAllowedError(e.message);
+      throw new AuthenticationError(e.message);
     }
   }