403 Forbidden vs 401 Unauthorized HTTP responses In summary, a 401 Unauthorized response should be used for missing or bad authentication, and a 403 Forbidden response should be used afterwards, when the user is authenticated but isn’t authorized to perform the requested operation on the given resource Another nice pictorial format of how http status codes should be used
When and why should i use 403 error code? - Stack Overflow The 403 (Forbidden) status code indicates that the server understood the request but refuses to authorize it The word "authorize" sometimes trips people up, because it sounds like this status is specific to credentials
403 Forbidden error when querying search service - Stack Overflow Figured it out - had to add a Search Index Data Reader assignment to my search service for my user account (even though this is never mentioned in the tutorial, and my user account is the subscription admin)