Forbidden

The server can't process the request because something is wrong with it. Missing required fields, invalid JSON, wrong data types. Check your request body and query parameters.

Authentication is required but was missing or invalid. Despite the name, this is about authentication (who you are), not authorization (what you can do). Check your API key or session.

The resource doesn't exist at this URL. Either the URL is wrong, the resource was deleted, or it never existed. The most familiar HTTP error code.

The HTTP method isn't supported for this URL. You sent a DELETE to an endpoint that only accepts GET and POST. The response includes an Allow header listing valid methods.

The server timed out waiting for the request. The client took too long to send the full request. Different from a gateway timeout (504) which is about the server being slow.

The request conflicts with the current state of the resource. Common with concurrent updates — two people editing the same record, or trying to create a resource that already exists.

The resource existed but has been permanently deleted. Unlike 404, this is deliberate — the server is saying "it was here, it's not anymore, and it's not coming back."

The request body is larger than the server is willing to accept. Common when uploading files that exceed the server's size limit.

The server doesn't support the Content-Type of the request. You sent XML but the endpoint only accepts JSON, or you forgot the Content-Type header entirely.

The request is well-formed but the content is invalid. The JSON is valid, but the data doesn't pass validation — missing required fields, values out of range, business rule violations.

You've hit a rate limit. The server is telling you to slow down. Check the Retry-After header for how long to wait. If you're seeing this in monitoring, your checks might be too frequent.