DevKits
403

Forbidden

4xx Client Error

Last updated:

The server understood the request and the client is authenticated, but access is refused.

Description

Authorization failure. The client is authenticated, but does not have permission for this specific resource or action. Repeating the request will not help.

When to use

Return 403 when a valid user tries to access a resource they don't own or perform an action their role doesn't allow.

Common pitfalls

Some APIs return 404 instead of 403 to hide the existence of protected resources — an intentional trade-off for security.

Specification

RFC 9110 §15.5.4

Examples

HTTP response
HTTP/1.1 403 Forbidden
Content-Type: application/json

{"error":"Forbidden"}
Node.js (Express)
res.status(403).json({ error: "Forbidden" });
Go (net/http)
w.WriteHeader(http.StatusForbidden)
Python (Flask)
return jsonify({"error": "Forbidden"}), 403

Related status codes

All 4xx codes