403 Forbidden

Authentication succeeded — the server knows exactly who you are — and the answer is still no. Retrying with the same identity will keep failing. This is a permissions conversation: roles, scopes, ownership, or an explicit block.

What usually causes it

  • Missing role/scope for this action (token valid, permissions insufficient)
  • Resource-level ownership checks (accessing another tenant's data)
  • IP allowlists, geo blocks, or WAF rules
  • Cloud storage object permissions (S3 returns 403 for missing objects when list permission is absent)

How to debug and fix it

  1. Compare the token's scopes/roles against what the endpoint requires — usually documented or discoverable from a working user's token.
  2. Check whether it is a WAF/proxy 403 rather than the app's: the response body and Server header usually differ.
  3. For cloud storage, remember 403-instead-of-404 semantics: 'forbidden' may mean 'not found but I won't confirm it'.
  4. Server-side: log the failed policy decision with a reason — 'authorization denied' with no cause wastes everyone's day.

Easily confused with