HTTP 403 Forbidden — Authorization Failures, Causes & Fix
The server understood the request but refuses to authorise it. The client is authenticated (unlike 401) but lacks the necessary permissions. Re-authentication will not help — this is an authorisation failure.
When to Return 403
Use 403 when an authenticated user tries to access a resource they don't have permission to access: wrong role, wrong tenant, admin-only endpoint. Some servers return 404 instead of 403 to avoid disclosing that the resource exists.
Common Causes
- User lacks the required role or permission
- Resource belongs to a different user/tenant
- IP address is blocked
- Rate limit exceeded for specific operation
- Feature not included in user's plan
HTTP Response Example
HTTP/1.1 403 Forbidden
Content-Type: application/json
{"error": "Forbidden", "message": "Requires admin role"}Code Examples
Express.js
const requireRole = (role) => (req, res, next) => {
if (!req.user) return res.sendStatus(401)
if (!req.user.roles.includes(role)) {
return res.status(403).json({
error: 'Forbidden',
message: `Requires ${role} role`,
})
}
next()
}
app.delete('/admin/users/:id', authenticate, requireRole('admin'), handler)Next.js App Router
// app/api/admin/users/[id]/route.ts
export async function DELETE(request: Request, { params }) {
const session = await getSession(request)
if (!session) return Response.json({ error: 'Unauthorized' }, { status: 401 })
if (!session.user.isAdmin) {
return Response.json({ error: 'Forbidden' }, { status: 403 })
}
await db.users.delete((await params).id)
return new Response(null, { status: 204 })
}Related Status Codes
Frequently Asked Questions
What does HTTP 403 Forbidden mean?
The server understood the request but refuses to authorise it. The client is authenticated (unlike 401) but lacks the necessary permissions. Re-authentication will not help — this is an authorisation failure.
When should an API return 403?
Use 403 when an authenticated user tries to access a resource they don't have permission to access: wrong role, wrong tenant, admin-only endpoint. Some servers return 404 instead of 403 to avoid disclosing that the resource exists.
What causes an HTTP 403 error?
Common causes: User lacks the required role or permission; Resource belongs to a different user/tenant; IP address is blocked; Rate limit exceeded for specific operation; Feature not included in user's plan.
