Aarunya AppsAarunya Apps
403
Forbidden
Client Error

HTTP 403 Forbidden — Authorization Failures, Causes & Fix

The server understood the request but refuses to authorise it. The client is authenticated (unlike 401) but lacks the necessary permissions. Re-authentication will not help — this is an authorisation failure.

When to Return 403

Use 403 when an authenticated user tries to access a resource they don't have permission to access: wrong role, wrong tenant, admin-only endpoint. Some servers return 404 instead of 403 to avoid disclosing that the resource exists.

Common Causes

  • User lacks the required role or permission
  • Resource belongs to a different user/tenant
  • IP address is blocked
  • Rate limit exceeded for specific operation
  • Feature not included in user's plan

HTTP Response Example

HTTP/1.1 403 Forbidden
Content-Type: application/json

{"error": "Forbidden", "message": "Requires admin role"}

Code Examples

Express.js
const requireRole = (role) => (req, res, next) => {
  if (!req.user) return res.sendStatus(401)
  if (!req.user.roles.includes(role)) {
    return res.status(403).json({
      error: 'Forbidden',
      message: `Requires ${role} role`,
    })
  }
  next()
}

app.delete('/admin/users/:id', authenticate, requireRole('admin'), handler)
Next.js App Router
// app/api/admin/users/[id]/route.ts
export async function DELETE(request: Request, { params }) {
  const session = await getSession(request)
  if (!session) return Response.json({ error: 'Unauthorized' }, { status: 401 })
  if (!session.user.isAdmin) {
    return Response.json({ error: 'Forbidden' }, { status: 403 })
  }
  await db.users.delete((await params).id)
  return new Response(null, { status: 204 })
}

Related Status Codes

All HTTP status codes

Browse the complete HTTP status code reference.

All Status Codes

Frequently Asked Questions

What does HTTP 403 Forbidden mean?

The server understood the request but refuses to authorise it. The client is authenticated (unlike 401) but lacks the necessary permissions. Re-authentication will not help — this is an authorisation failure.

When should an API return 403?

Use 403 when an authenticated user tries to access a resource they don't have permission to access: wrong role, wrong tenant, admin-only endpoint. Some servers return 404 instead of 403 to avoid disclosing that the resource exists.

What causes an HTTP 403 error?

Common causes: User lacks the required role or permission; Resource belongs to a different user/tenant; IP address is blocked; Rate limit exceeded for specific operation; Feature not included in user's plan.