403 Forbidden
This is an educational reference page about HTTP 403 Forbidden. The page itself is served as 200 OK so it can be indexed as HTTP documentation.
The request contained valid data and was understood by the server, but the server is refusing action. This may be due to the user not having the necessary permissions for a resource or needing an account of some sort, or attempting a prohibited action (e.g. creating a duplicate record where only one is allowed). This code is also typically used if the request provided authentication by answering the WWW-Authenticate header field challenge, but the server did not accept that authentication. The request should not be repeated.
What it means
HTTP 403 means the server understood the request and knows who the client is, but refuses to authorize access.
Common causes
- The authenticated user lacks a required role, permission, plan, or entitlement.
- Access is blocked by IP policy, organization policy, or resource ownership rules.
- The server intentionally refuses the action even though authentication succeeded.
How to fix it
- Check authorization rules and resource ownership checks.
- Return a clear reason when revealing it is safe.
- Use 401 instead when the client is not authenticated.
Example response
HTTP/1.1 403 Forbidden
Content-Type: application/json
{"error":"You do not have access to this project"}Developer notes
A 403 response should not ask the client to log in again unless authentication is actually missing or invalid.