{
  "topic": "errors.FORBIDDEN",
  "path": [
    "errors",
    "FORBIDDEN"
  ],
  "title": "FORBIDDEN — caller lacks required role or permission",
  "synopsis": "The request was authenticated successfully but the caller's JWT claims do not include the role required by the endpoint (for example, `admin` is required for administrative operations). Tenant mismatch — where the caller's tenant does not match the resource — also produces this error.",
  "body": "# errors.FORBIDDEN\n\n## NAME\n\nFORBIDDEN — the authenticated caller does not have the role or permission required to perform the operation.\n\n## SYNOPSIS\n\nHTTP: `403` `Forbidden`. Retryable: `no`.\n\n## DESCRIPTION\n\nThe request was authenticated successfully but the caller's JWT claims do not include the role required by the endpoint (for example, `admin` is required for administrative operations). Tenant mismatch — where the caller's tenant does not match the resource — also produces this error.\n\nNot retryable with the same token. The token's role claims determine access.\n\n## SEE ALSO\n\n- errors\n- errors.UNAUTHORIZED\n",
  "sections": [
    {
      "name": "NAME",
      "body": "FORBIDDEN — the authenticated caller does not have the role or permission required to perform the operation."
    },
    {
      "name": "SYNOPSIS",
      "body": "HTTP: `403` `Forbidden`. Retryable: `no`."
    },
    {
      "name": "DESCRIPTION",
      "body": "The request was authenticated successfully but the caller's JWT claims do not include the role required by the endpoint (for example, `admin` is required for administrative operations). Tenant mismatch — where the caller's tenant does not match the resource — also produces this error.\n\nNot retryable with the same token. The token's role claims determine access."
    },
    {
      "name": "SEE ALSO",
      "body": "- errors\n- errors.UNAUTHORIZED"
    }
  ],
  "see_also": [
    "errors",
    "errors.UNAUTHORIZED"
  ],
  "stability": "stable",
  "actions": []
}