ma11hew28
Reputation: 126507
HTTP Status Code for Authenticated but Unauthorized?
With which HTTP status code should a REST API respond if the request is authenticated (according to The OAuth 2.0 Authorization Framework: Bearer Token Usage: Authorization Request Header Field) but the authenticated user is unauthorized to view the resource being requested?
For example, imagine I make a request to see a certain user's profile: GET /users/123. I authenticate successfully, but that user has blocked me. With which HTTP status code should the server respond?
Related:
Upvotes: 2
Views: 1326
Answers (1)
Opal
Reputation: 84854
The code you need is 403 Forbidden:
From wikipedia:
A 403 response generally indicates one of two conditions:
- Authentication was provided, but the authenticated user is not permitted to perform the requested operation.
- The operation is forbidden to all users. For example, requests for a directory listing return code 403 when directory listing has been disabled.
Upvotes: 3
Related Questions
- Correct HTTP status code when resource is available but not accessible because of permissions
- What HTTP status code return when user needs to be UNAUTHORIZED to access page
- Correct return status code for authentication issues?
- Correct http status code for resource which requires authorization
- REST API: HTTP Status code for auth violation
- REST HTTP status code for "success, and thus you no longer have access"
- What HTTP Status Code would represent Authenticated but requires acceptance of terms
- HTTP status code for missing authentication
- A distinct HTTP status for not logged in vs. not authorized in a RESTful API
- REST http status code for content that needs authentication?