# FORBIDDEN — caller lacks required role or permission

The request was authenticated successfully but the callers JWT claims do not include the role required by the endpoint (for example, `admin` is required …

<em>cyoda-go version <a href="https://github.com/Cyoda-platform/cyoda-go/releases/tag/v0.6.2">0.6.2</a></em>

# errors.FORBIDDEN

## NAME

FORBIDDEN — the authenticated caller does not have the role or permission required to perform the operation.

## SYNOPSIS

HTTP: `403` `Forbidden`. Retryable: `no`.

## DESCRIPTION

The request was authenticated successfully but the caller's JWT claims do not include the role required by the endpoint (for example, `admin` is required for administrative operations). Tenant mismatch — where the caller's tenant does not match the resource — also produces this error.

Not retryable with the same token. The token's role claims determine access.

## SEE ALSO

- errors
- errors.UNAUTHORIZED

## See also

- [`cyoda help errors`](/help/errors/) — Every error response from the Cyoda REST API carries a structured `errorCode` in the `properties` object. Multiple codes may share the same HTTP status. Programmatic handling keys on `errorCode`, not HTTP status.
- [`cyoda help errors UNAUTHORIZED`](/help/errors/unauthorized/) — Returned when the `Authorization` header is missing, the bearer token is expired, the token signature is invalid, or the token was issued by an untrusted issuer. Also returned when a request reaches a protected route with no identity context established by the auth middleware.

## Raw formats

- [`/help/errors/forbidden.json`](/help/errors/forbidden.json) — full descriptor (matches `GET /help/{topic}` envelope)
- [`/help/errors/forbidden.md`](/help/errors/forbidden.md) — body only