0
0
Rest-apiConceptBeginner · 3 min read

What is 403 Status Code: Meaning and Usage in REST APIs

The 403 status code means "Forbidden" in HTTP responses. It tells the client that the server understood the request but refuses to authorize it, usually due to insufficient permissions.
⚙️

How It Works

Imagine you try to enter a private room in a building. The door is there, and you can see inside, but you don't have the key to open it. The 403 Forbidden status code works like that locked door. The server understands your request and knows who you are, but it refuses to let you access the resource because you lack the right permissions.

This status code is different from 401 Unauthorized, which means you need to prove who you are (like showing an ID). With 403, the server already knows you but still denies access. It’s a clear message that you are not allowed to see or use the requested content.

💻

Example

This example shows a simple HTTP server in Python that returns a 403 status code when a user tries to access a protected page without permission.

python
from http.server import BaseHTTPRequestHandler, HTTPServer

class RequestHandler(BaseHTTPRequestHandler):
    def do_GET(self):
        if self.path == '/protected':
            self.send_response(403)
            self.send_header('Content-type', 'text/html')
            self.end_headers()
            self.wfile.write(b'403 Forbidden: You do not have permission to access this page.')
        else:
            self.send_response(200)
            self.send_header('Content-type', 'text/html')
            self.end_headers()
            self.wfile.write(b'Welcome to the public page!')

if __name__ == '__main__':
    server = HTTPServer(('localhost', 8080), RequestHandler)
    print('Server running on http://localhost:8080')
    server.serve_forever()
Output
Server running on http://localhost:8080
🎯

When to Use

Use the 403 Forbidden status code when a user is authenticated but does not have permission to access a resource. For example:

  • A user tries to access an admin dashboard without admin rights.
  • Someone attempts to view private files they are not allowed to see.
  • Access to a feature is restricted based on subscription level or role.

This helps keep resources secure by clearly telling clients that access is denied despite valid identity.

Key Points

  • 403 means access is forbidden despite authentication.
  • It differs from 401, which means authentication is required.
  • Use it to protect resources from unauthorized use.
  • Clients should not retry with different credentials automatically.

Key Takeaways

403 status code means the server refuses access despite knowing the client’s identity.
It signals permission issues, not authentication problems.
Use 403 to protect resources from unauthorized users who are already identified.
Clients should understand 403 as a permanent denial for the requested resource.
Clear use of 403 improves security and user experience in APIs.

Related by keyword

Safe Method in REST: Meaning and Usage ExplainedFundamentalsWhat is Idempotent in REST: Meaning and ExamplesFundamentalsURI vs URL in REST: Key Differences and Usage ExplainedFundamentalsHow to Handle Sub-Resources in REST APIs CorrectlyURL DesignPath Parameter vs Query Parameter in REST: Key Differences and UsageURL Design

Up next

When to Use PUT vs PATCH in REST APIs: Key Differences and ExamplesWhich HTTP Methods Are Idempotent: Quick GuideBest API Versioning Strategy: Clear and Practical GuideHow to Design REST API URLs: Best Practices and Examples

More in HTTP Status Codes

400 vs 422 Difference: Key REST API Status Code Comparison401 vs 403 Difference: Key REST API Status Codes ExplainedWhat Are HTTP Status Codes: Simple Explanation and ExamplesWhat is 200 Status Code: Meaning and Usage in REST API