The HTTP403 Forbiddenclient error response status code indicates that the server understood the request but refused to process it.This status is similar to401, except that for403 Forbidden responses, authenticating or re-authenticating makes no difference.The request failure is tied to application logic, such as insufficient permissions to a resource or action.

Clients that receive a403 response should expect that repeating the request without modification will fail with the same error.Server owners may decide to send a404 response instead of a 403 if acknowledging the existence of a resource to clients with insufficient privileges is not desired.

Status

403 Forbidden

Examples

Request failed due to insufficient permissions

The following example request is made to an API for user management.The request contains anAuthorization header usingBearerauthentication scheme containing an access token:

DELETE /users/123 HTTP/1.1Host: example.comAuthorization: Bearer abcd123

The server has authenticated the request, but the action fails due to insufficient rights and the response body contains a reason for the failure:

HTTP/1.1 403 ForbiddenDate: Tue, 02 Jul 2024 12:56:49 GMTContent-Type: application/jsonContent-Length: 88{  "error": "InsufficientPermissions",  "message": "Deleting users requires the 'admin' role."}

Specifications

See also

• HTTP response status codes
• 401
• HTTP Status Code Definitions