HTTP Reference
HTTP 403 Forbidden
The server understood the request but refuses to authorize it.
Common Causes
- Token is valid but lacks required permission scope.
- User role does not permit requested action.
- IP or geo restrictions blocked the request.
Debugging Notes
- Differentiate 401 vs 403 clearly in auth middleware.
- Audit RBAC/ABAC rules and policy evaluation logs.
Example Response
{
"status": 403,
"error": "Forbidden",
"message": "Insufficient permissions"
}