OK, I figured this out after re-reading the docs and your answer above. My confusion came from a couple places, which I will list here in case anyone else has the same questions/thoughts. Firstly, I had been adding users via the admin control panel under the “Users” page in the side bar. I thought that these were messaging users, but they were not. I had been using their credentials to log in and interact with my event broker, but in actuality, it seems like I had actually been logging in with the “default” client-username (which comes out of the box with no password). Also, the event broker comes out of the box with authentication enabled, but authentication method as none - so when I turned that to internal database and tried to use the users I had created under the “Users” tab, I was getting the 401s because those credentials were not client-username/messaging credentials. So after further research, I ended up giving my “default” client-username a password and turning on internal database authentication and now I am able to log in (and more importantly, lock down my event broker). Hope this helps someone else.
Solace employees: if I could make a suggestion, I would suggest that maybe somewhere in the initial setup/config docs, explain that the default configuration is open to the world. Also, while your docs do explain how to lock the event broker down in general, it might be useful to have a tutorial that explains how to go from initial (open to the world) configuration to a more secure configuration.