403 Forbidden
Meaning
The server understood the request but refuses to authorize it. The client is not allowed to access this resource, even if authenticated.
When to Use
When the client is authenticated but does not have permission to access the resource, or the server does not want to reveal the resource exists. It indicates that the request is valid, but the server is refusing action.
Example
A user without admin rights tries to access an admin-only API endpoint and receives 403 Forbidden, indicating they are recognized but not permitted to proceed.
When Not to Use
Do not use for authentication errors (401 should be used if the issue is missing/invalid credentials). Do not use 403 when a resource is truly not found but you're hiding its existence (some applications might still choose 404 for security).
Source
RFC 9110