HTTP 403 Forbidden vs gRPC 7 PERMISSION_DENIED
HTTP 403 and gRPC PERMISSION_DENIED both mean the caller is authenticated but lacks the required permissions. The server knows who you are but will not let you perform the requested action. Re-authenticating will not help — the user needs elevated privileges.
Description
The server understood the request but refuses to authorize it. Unlike 401, authentication will not help — the user simply does not have permission.
When You See It
When trying to access a resource you're authenticated for but don't have permission to access.
How to Fix
Check your user role/permissions. Contact the admin to request access.
Description
The caller does not have permission to execute the specified operation. This is not for unauthenticated callers — use UNAUTHENTICATED instead.
When You See It
The authenticated user lacks the required role, scope, or policy to perform this action. Different from UNAUTHENTICATED (code 16), which means no credentials at all.
How to Fix
Verify the caller has the correct IAM role, API scope, or access policy. Check RBAC configuration on the server side.
Key Differences
HTTP 403 is called 'Forbidden'; gRPC uses the clearer name 'PERMISSION_DENIED'.
Both assume the caller is already authenticated — if not, use 401/UNAUTHENTICATED instead.
HTTP 403 is sometimes used to hide resources (returning 404 instead to not reveal existence); gRPC has the same pattern.
gRPC PERMISSION_DENIED should not be used for rate limiting — use RESOURCE_EXHAUSTED instead.
Both indicate the error is permanent for this user/role — retrying with the same credentials will not help.
When to Use Which
Return HTTP 403 when a logged-in user tries to access an admin-only endpoint or another user's data. Return gRPC PERMISSION_DENIED when the caller's IAM role or API scope does not include the required permission. Map gRPC 7 PERMISSION_DENIED to HTTP 403 in API gateways.