> ## Documentation Index
> Fetch the complete documentation index at: https://docs.lasscyber.com/llms.txt
> Use this file to discover all available pages before exploring further.

# forbidden

> HTTP 403 — authenticated but not authorised for this resource.

|                 |                                      |
| --------------- | ------------------------------------ |
| **HTTP status** | `403 Forbidden`                      |
| **Code**        | `forbidden`                          |
| **Retry?**      | No — request additional permissions. |

## When this happens

The request authenticated successfully but the credential lacks the
permission needed to perform the action. Common causes:

* The API key is missing a scope (e.g. tries to delete a policy with
  only `policy:read`).
* The credential belongs to tenant A but the request targets a
  resource in tenant B (a cross-tenant access attempt).
* The role attached to the user does not allow the action (e.g. a
  `viewer` trying to mutate something).
* A specialised case: the JWT user has not verified their email — see
  [`email_not_verified`](/errors/email_not_verified) which surfaces
  with the same 403 status but a different `code`.

## Example response

```json theme={null}
{
  "detail": "Permission denied: missing scope policy:delete.",
  "code": "forbidden",
  "request_id": "5b3f6c7e-7d24-4d40-9b12-3a59c01c6e91",
  "doc_url": "https://docs.lasscyber.com/errors/forbidden"
}
```

## How to fix

1. Compare the action you attempted against the
   [role matrix](/administration/roles-and-permissions).
2. If you control the API key, mint one with the right scope set.
3. If you are a member without the right role, ask an owner or admin
   to grant it.
4. If the resource simply belongs to a different tenant, switch
   tenants in the dashboard or use a key from the right tenant.

## SDK behaviour

| SDK        | Exception               |
| ---------- | ----------------------- |
| Python     | `agnes.PermissionError` |
| TypeScript | `PermissionError`       |

SDKs do not retry 403s — there is no recovery without a permission
change.

## Related

* [Roles & permissions](/administration/roles-and-permissions)
* [API keys](/administration/api-keys) — scope picker.
* [`email_not_verified`](/errors/email_not_verified) — same status,
  different cause.
