403 4xx RFC 9110 §15.5.4

Forbidden

Authenticated but not authorized. Server understood the request but refuses to fulfill it.

What HTTP 403 means

RFC 9110 §15.5.4. The client is authenticated (or auth is irrelevant) but lacks permission to access the resource. Cannot be resolved by re-authenticating with the same credentials. Common in IAM/RBAC contexts and CORS preflight failures.

Typical causes

IAM/RBAC permission missing
CORS rejection
IP allowlist
Disabled account
Suspended API key

403 across services

How 2 different errors map to HTTP 403 across the services we cover.

AWS

AccessDeniedException — IAM Permission Denied

GitHub

403_rate_limit — REST API Rate Limit Exceeded