HTTP Status Code for Authenticated but Unauthorized?

Question

With which HTTP status code should a REST API respond if the request is authenticated (according to The OAuth 2.0 Authorization Framework: Bearer Token Usage: Authorization Request Header Field) but the authenticated user is unauthorized to view the resource being requested?

For example, imagine I make a request to see a certain user's profile: GET /users/123. I authenticate successfully, but that user has blocked me. With which HTTP status code should the server respond?

Here's a useful [guide](http://racksburg.com/choosing-an-http-status-code/) for choosing an appropriate HTTP Status Code — Alexandru Marculescu, Aug 26 '16 at 08:32

score 3 · Accepted Answer · answered Aug 26 '16 at 08:59

The code you need is 403 Forbidden:

From wikipedia:

A 403 response generally indicates one of two conditions:

Authentication was provided, but the authenticated user is not permitted to perform the requested operation.

The operation is forbidden to all users. For example, requests for a directory listing return code 403 when directory listing has been disabled.

HTTP Status Code for Authenticated but Unauthorized?

1 Answers1