Back to list
403

Forbidden

4xx Client Error

.md

ELI5

I know who you are, but you're not allowed to do this. You don't have permission for this action.

Server perspective

Use 403 when the request is understood but the client is not allowed to perform it, even with current authentication.

When to use

  • Return 403 for permission, policy, geographic, or account-state restrictions
  • Use it when the client is known but the action is still not allowed
  • User lacks required permissions or roles
  • Resource access restricted by policy
  • Geographic or IP-based restrictions
  • Account suspended or disabled

How to respond

  • Explain the policy or permission problem briefly when it is safe to do so
  • Consider 404 instead when revealing the resource would create an information leak

Headers to consider

  • No status-specific header is required; still send normal HTTP metadata such as Content-Type, caching, or tracing headers when they help the client.

Response body

  • Optionally include a machine-readable reason such as insufficient_scope or account_suspended

Server-side pitfalls

  • Do not use 403 when authentication is missing or refreshable; use 401 instead
  • Do not assume re-authentication alone will fix a true 403
  • Authentication required (use 401 Unauthorized)
  • Resource doesn't exist (use 404 Not Found)
  • Bad request format (use 400 Bad Request)

Examples

Insufficient user role

Request:DELETE https://api.example.test/api/users/123 # Headers Authorization: Bearer <user-token>
Response:403 Forbidden # Headers Content-Type: application/json # Body { "error": "forbidden" }

User authenticated but lacks admin privileges for deletion

Resource access denied

Request:GET https://api.example.test/api/users/456/private-data
Response:403 Forbidden # Headers Content-Type: application/json # Body { "error": "forbidden" }

User can't access another user's private information

References

Related Status Codes

401

Unauthorized

You need to prove who you are before you can access this. Please log in or provide valid credentials.

404

Not Found

The thing you're looking for doesn't exist here. It's like knocking on a door and nobody's home.

451

Unavailable For Legal Reasons

This content is blocked by law or legal restrictions in your area. It's like a book that's banned in your country.