403 Forbidden: HTTP Status Code Meaning, Causes, and Fixes

What 403 Forbidden means

403 Forbidden is the authorization-failure code. Unlike 401, which means "we do not know who you are", 403 means "we know exactly who you are, and you are not allowed to do this". The classic 403 cases: trying to access another user's data, attempting an admin-only operation as a regular user, or hitting a resource that has been blocked at the firewall level (Cloudflare 403, AWS WAF 403, etc.).

When servers should return it: Return 403 when authentication succeeded but the user lacks the permission, scope, or role to perform the action. Do not return 403 for missing auth (that is 401) or missing resources (that is 404).

Common causes

User lacks the required role or permission
OAuth token does not include the necessary scope
IP address blocked by the WAF or firewall rule
Cloudflare or another CDN blocked the request as suspicious
CORS preflight failed (the OPTIONS response did not allow the origin)
Resource is restricted to a specific tenant the caller does not belong to

How to fix 403 Forbidden

Verify the token has the required scope or permission
Check the response body for a specific reason (rate-limit, geo-block, etc.)
For CORS errors, inspect the OPTIONS preflight response, not the actual request
For WAF 403s, check Cloudflare / AWS logs for the rule that fired
For permission errors, request elevation or use a token with broader scope

Example response

curl -i -H "Authorization: Bearer $READ_ONLY_TOKEN" \
  -X DELETE https://api.example.com/users/42

HTTP/2 403
content-type: application/json
{"error":"forbidden","reason":"token lacks 'users:write' scope"}

Related status codes

Frequently Asked Questions

401 vs 403?

401 = unauthenticated (who are you?). 403 = unauthorized (we know you, you cannot do this).

Should 403 reveal why?

Sometimes yes (helps debugging), sometimes no (avoids leaking information). For internal APIs, be specific. For public APIs facing potential attackers, be vague.

Why am I getting 403 from Cloudflare?

Cloudflare returns 403 when its WAF, bot management, or firewall rules block your request. Check the Cloudflare event log for the specific rule that fired.

More references

For a one-page reference of all HTTP status codes, see the HTTP cheat sheet. For testing API responses, try the API Tester tool. For inspecting responses on the command line, the curl cheat sheet covers the most common flags.