# 403 Forbidden

> https://http-status.org/docs/403

**Family:** 4xx Client Error

## Rationale

The server understood the request but refuses to fulfill it; re-authenticating usually does not help.

## In Plain Terms

I know who you are, but you're not allowed to do this. You don't have permission for this action.

## Description

The HTTP 403 Forbidden status code indicates that the server understood the request but refuses to authorize it. Re-authenticating will make no difference.

## Server Perspective

### Usage
- Return 403 for permission, policy, geographic, or account-state restrictions
- Use it when the client is known but the action is still not allowed
- User lacks required permissions or roles
- Resource access restricted by policy
- Geographic or IP-based restrictions
- Account suspended or disabled

### Implementation
- Explain the policy or permission problem briefly when it is safe to do so
- Consider 404 instead when revealing the resource would create an information leak

### Common Headers
- No status-specific header is required; still send normal HTTP metadata such as Content-Type, caching, or tracing headers when they help the client.

### Body
- Optionally include a machine-readable reason such as insufficient_scope or account_suspended

### Pitfalls
- Do not use 403 when authentication is missing or refreshable; use 401 instead
- Do not assume re-authentication alone will fix a true 403
- Authentication required (use 401 Unauthorized)
- Resource doesn't exist (use 404 Not Found)
- Bad request format (use 400 Bad Request)

## Client Perspective

### Pitfalls
- Do not assume signing in again will fix a true 403

## Examples

### Insufficient user role

User authenticated but lacks admin privileges for deletion

**Request:**
```
DELETE https://api.example.test/api/users/123
Authorization: Bearer <user-token>
```

**Response:**
```
403 Forbidden
Content-Type: application/json

{
  "error": "forbidden"
}
```

### Resource access denied

User can't access another user's private information

**Request:**
```
GET https://api.example.test/api/users/456/private-data
```

**Response:**
```
403 Forbidden
Content-Type: application/json

{
  "error": "forbidden"
}
```

## Related Codes

- [401 Unauthorized](/docs/401.md)
- [404 Not Found](/docs/404.md)
- [451 Unavailable For Legal Reasons](/docs/451.md)