permission_denied
Authorisation failures — scopes, permissions, and plan limits
HTTP status: 403
Category: API authorisation
What this error means
Your request was authenticated, but the caller is not permitted to perform this action. The API rejected the operation because of missing scopes, insufficient relationships, plan limits, or tenant status.
Related codes: forbidden, insufficient_scope, tenant_inactive, feature_not_available, feature_unavailable, and quota_exceeded.
Common causes
- API key scoped to
users:readbut calling a write endpoint - OAuth token missing required scopes for the operation
- SpiceDB permission check denied for the target resource
- Tenant suspended or on a plan that does not include the feature
- Plan quota exceeded (users, webhooks, applications, etc.)
How to fix it
- Review API key scopes in Console → Settings → API keys and add the required scope.
- For OAuth, request the correct scopes during authorisation.
- Verify resource-level permissions with
permissions.check()or the Console. - Confirm the tenant is active and on a plan that includes the feature.
- Do not retry without changing permissions — 403 responses are not transient.