If you change your return type to HttpResponseMessage, you can do something like the following:
public HttpResponseMessage GetContactList()
{
if (IsValid(Request.Headers.Authorization))
{
var contacts = DB.GetContacts();
return Request.CreateResponse(HttpStatusCode.OK, contacts);
}
else
{
return Request.CreateResponse(HttpStatusCode.BadRequest, "Authentication Token missing");
}
}