HTTP 403 Forbidden: What It Means and When You See It
Quick Answer
HTTP 403 Forbidden means the server understood the request but refuses to authorize it. Unlike 401, authentication will not help — the client simply does not have access.
When HTTP 403 Is Returned
HTTP 403 Forbidden means authentication succeeded but the server refuses access. Common scenarios: a regular user trying to access an admin endpoint, a user trying to edit another user's data, an API key without the required scope, a service account missing a required role, and IP-based restrictions (allowlist/blocklist). Unlike 401, re-authenticating will not help - the user simply lacks permission. Some APIs return 404 instead of 403 to avoid disclosing that the resource exists.
Fixing HTTP 403 Errors
For API clients: verify the token or API key has the required scopes or permissions. Check the API documentation for the endpoint's required role. Try re-generating credentials with the correct permissions. For developers: return 403 when the authenticated user does not own or have access to the resource. Express.js: res.status(403).json({ error: "Forbidden" }). Consider returning 404 if you want to hide the existence of a resource from unauthorized users.
Try the interactive tool
Convert any value instantly — no sign-up required
Frequently Asked Questions
Related Values
100
HTTP 100 Continue means the server has received the request headers and the client should proceed to send the request body. It is an interim response used to inform the client to continue.
101
HTTP 101 Switching Protocols indicates the server is switching to the protocol specified in the Upgrade header field. Commonly used when upgrading to WebSocket connections.
200
HTTP 200 OK is the standard success response. The request has succeeded and the server has returned the requested resource in the response body.
201
HTTP 201 Created means the request succeeded and a new resource was created as a result. The Location header typically points to the new resource URL.