What does "Claude Code request failed with status code 403" mean?

HTTP 403 = Forbidden. The Anthropic API received your request and rejected it on authorization grounds, not on syntax. Translation: your request reached the server, the server understood it, and refused to act on it. Most common causes: invalid or revoked API key, wrong organization/workspace selected, region restriction, model not enabled on your account, or abuse-detection signals (high concurrency from new account, unusual IP). 403 is NOT the same as 401 (missing/malformed credentials) or 429 (rate-limited). It means "you are recognized but not allowed."

How do I fix Claude Code 403 errors?

Walk the 5 layers in order: (1) Auth — verify ANTHROPIC_API_KEY is set, current, and not revoked at console.anthropic.com/settings/keys. (2) Org/workspace — confirm the key belongs to the workspace that has model access and credit. (3) Region/IP — check if your IP is in a restricted region (some Anthropic features are geo-gated). (4) Model access — confirm the specific Claude model (e.g., claude-opus-4-7) is enabled for your workspace. (5) Rate/abuse — check for unusual concurrency that triggered abuse detection. The fix is usually layer 1 (key revoked) or layer 2 (wrong workspace) — about 80% of cases.

Is Claude Code 403 different from Claude Code 401?

Yes, very. 401 = Unauthorized = your credentials are missing, malformed, or completely unrecognized — server doesn't know who you are. 403 = Forbidden = server knows who you are but refuses to act on the request. Different fixes: 401 means re-check that ANTHROPIC_API_KEY is set in the environment Claude Code is reading. 403 means the key is being read correctly but the underlying account/workspace/model permission is the problem.

Why does Claude Code 403 happen after I added a payment method?

Adding a payment method doesn't auto-grant access to all models. Anthropic's console requires you to explicitly enable specific models per workspace. After adding payment, go to console.anthropic.com → Settings → Workspaces → click your workspace → Model Access → enable the models Claude Code uses (claude-opus-4-7 and claude-sonnet-4-7 are the current defaults). 403 will persist until model access is granted, even with payment on file.

Can a VPN cause Claude Code to throw 403?

Yes — Anthropic restricts API access from certain regions. If your VPN exits in a restricted region (or your IP is shared with a region with high abuse signals), the API will return 403. Test by disabling the VPN, hitting `claude --version` to verify Claude Code can boot, then making a single test request. If 403 disappears without VPN, that was the cause. For privacy-required workflows, choose a VPN exit in a non-restricted region (US, UK, Canada, Australia are reliable).

Does Claude Code use a different API key than Claude.ai?

Yes. Claude.ai (the web chat) uses your account session cookie. Claude Code uses an API key generated at console.anthropic.com → Settings → API Keys (a separate console from claude.ai). Many 403 errors come from copying the wrong credential — especially confusing the Claude.ai session token (which won't work in Claude Code) with the Anthropic API key (which will). The API key starts with `sk-ant-` and is created specifically in the developer console.

What's the fastest way to verify my Anthropic API key works?

One curl command: `curl -s https://api.anthropic.com/v1/messages -H "x-api-key: $ANTHROPIC_API_KEY" -H "anthropic-version: 2023-06-01" -H "content-type: application/json" -d '{"model":"claude-opus-4-7","max_tokens":10,"messages":[{"role":"user","content":"hi"}]}'` — a 200 response with content means the key works and your workspace has model access. A 403 here narrows the problem to the account, not Claude Code itself. A 401 means the key is wrong or not in your environment.

⚠️ Claude Code · 403 Error · 2026 Operator Fix

Claude Code request failed with status code 403.
It's almost never Claude.

A 403 from the Anthropic API means the server recognized you and refused to act — it's not a network error, not an outage, not a Claude Code bug. The fix is one of five layers, and 80% of the time it's layer 1 (revoked / wrong API key) or layer 2 (model access not enabled in your workspace).

PJ · Cardiff operator · 858-461-8054

⚡ TL;DR · 60-second read 403 = "I recognize you, but you're not allowed." Walk the 5 layers in order before assuming Claude is down. Layer 1: Auth (is ANTHROPIC_API_KEY set, current, and not revoked?). Layer 2: Org/workspace (does the key's workspace have model access enabled?). Layer 3: Region/IP (VPN exit, country restriction). Layer 4: Model access (is claude-opus-4-7 explicitly enabled for your workspace?). Layer 5: Abuse signals (high concurrency from new account). Fix is usually layer 1 or 2 — verify the key in the Anthropic console + confirm Model Access on the right workspace. One curl command below isolates the cause in 30 seconds.

The 5 layers · walk them in order, not in panic.

Each layer is independently checkable in 60-90 seconds. Skipping layers is what turns a 5-minute fix into a 5-hour rabbit hole on GitHub issues that don't apply to your setup.

LAYER 1

Auth · is your API key actually being read?

The most-skipped layer because "obviously the key is set." But shells reload, .env files get out of sync, and keys get rotated/revoked in the Anthropic console without the local environment knowing. Verify with one command before assuming anything else.

# 1. Is the key in your environment at all?
echo "${ANTHROPIC_API_KEY:0:12}..."

# 2. Does the key still exist in the Anthropic console?
# → console.anthropic.com → Settings → API Keys
#   Look for "Last used" — if it's stale, the key may be revoked.
# 3. Smoke-test the key against the API directly:
curl -s https://api.anthropic.com/v1/messages \
  -H "x-api-key: $ANTHROPIC_API_KEY" \
  -H "anthropic-version: 2023-06-01" \
  -H "content-type: application/json" \
  -d '{"model":"claude-opus-4-7","max_tokens":10,
       "messages":[{"role":"user","content":"hi"}]}'

What you're looking for: A 200 response = key works, problem is in Claude Code config (skip to Layer 2). A 401 = key is missing or wrong (regenerate at console.anthropic.com/settings/keys). A 403 here = the key is real but the underlying workspace lacks permission (continue to Layer 2). A 429 = rate-limited, not a 403 issue.

LAYER 2

Org / workspace · does the key belong to a workspace with model access?

An Anthropic account can have multiple workspaces, each with its own model-access settings, credit, and rate limits. The most common cause of "request failed with status code 403" after a fresh setup is a key generated in a workspace that has not been granted access to the specific Claude model Claude Code is calling.

Check: console.anthropic.com → top-left workspace switcher → confirm you're in the workspace that owns the API key. Then Settings → Model Access → confirm the Claude model Claude Code uses (typically claude-opus-4-7 and claude-sonnet-4-7) shows "Enabled". If it shows "Request access" or "Not enabled", that is your 403.

LAYER 3

Region / IP · are you calling from a region Anthropic restricts?

Anthropic restricts API access from a list of regions. If your VPN exits in a restricted country, or your residential IP is shared with a high-abuse subnet, the API will return 403 with a payload like "error":{"type":"permission_error","message":"Region not supported"}.

Check: Disable VPN/proxy → re-run the curl from Layer 1. If 403 disappears, that was your cause. Switch your VPN exit to US/UK/Canada/Australia/most of Western Europe and re-test. The exact restricted-region list lives at anthropic.com/supported-countries — verify before troubleshooting deeper.

LAYER 4

Model access · is the specific model enabled for THIS workspace?

Adding a payment method does not auto-enable every Claude model. Anthropic gates model access per workspace, especially for newer or higher-tier models. Claude Code defaults to Opus and Sonnet; if your workspace has only Haiku enabled (or vice versa), the request returns 403 with a permission error specific to the model name.

Check: Anthropic console → Settings → Workspaces → click your workspace → Model Access tab. Each model lists "Enabled" or "Disabled" with the date. Enable the models Claude Code uses, wait ~30 seconds for propagation, then re-test. If the Model Access tab is missing, your account tier may not be high enough — contact Anthropic support with the workspace ID.

LAYER 5

Abuse signals · did your account get flagged automatically?

New accounts that suddenly fire dozens of parallel requests, or accounts whose IP shares space with known scrapers, can trip Anthropic's abuse heuristics. The signature is intermittent 403s — it works once, fails twice, works once more — never a clean failure.

Check: Check the response body — abuse-related 403s usually include "type":"permission_error" with a message about unusual activity. Drop your concurrency to 1 request at a time, wait 5 minutes, then retry. If it works at concurrency=1 and fails at concurrency=10, that's your signal. Contact Anthropic support with your account email + a sample request ID — they can clear the flag.

Decision tree · by what your terminal is actually telling you.

If you've already eyeballed the layers and want a faster path, walk this tree based on what the error response actually says.

Q1: What does the curl smoke-test from Layer 1 return?
→ 200 → API works; the problem is inside Claude Code config. Check ~/.claude/settings.json + .claude/settings.local.json for stale keys or wrong base URL.
→ 401 → Key not loaded or wrong. Regenerate at console.anthropic.com → re-export ANTHROPIC_API_KEY → restart shell.
→ 403 → Continue to Q2.

Q2: What does the 403 response body say?
→ "Region not supported" → Layer 3: VPN exit / IP region.
→ "Model not enabled" or model-name in message → Layer 4: enable model in workspace.
→ "unusual activity" / "permission_error" generic → Layer 5: abuse flag.
→ No body / empty 403 → Layer 2: wrong workspace or revoked key.

Q3: Did this start happening after a billing change or workspace switch?
→ Yes → Layer 2 + 4: payment doesn't auto-enable models. Confirm Model Access tab.
→ No, has worked before → key likely revoked. Check console → Settings → API Keys → "Last used" timestamps.

Q4: Are you using a corporate proxy or zero-trust gateway (Zscaler, Netskope, Cloudflare Access)?
→ If yes, the proxy may be stripping the x-api-key header or rewriting the host. Try curl -v through the proxy and confirm the header arrives intact at api.anthropic.com.

The three paths from here · pick by where you're stuck.

Three ways out of a 403, ranked by how invasive the fix is.

Path 1 · Self-fix in 5 minutes. (80% of cases)

Run the Layer 1 curl. If it returns 200, your key works — fix Claude Code's local config. If it returns 401/403, fix at console.anthropic.com: regenerate key, switch to the right workspace, enable model access. Restart your terminal so the new ANTHROPIC_API_KEY is read.

Path 2 · Anthropic support ticket. (15% of cases)

If the curl returns 403 even from a fresh API key in a workspace where Model Access is shown as "Enabled", you need Anthropic to look at the account. Open a ticket at support.anthropic.com with: account email, workspace ID, the exact x-request-id from the 403 response headers, and the curl command (with key redacted). Response is typically 24-48 hours.

Path 3 · Text PJ for a second pair of eyes. (5% of cases)

Sometimes the 403 is downstream of a non-obvious config — a corporate proxy stripping headers, an MCP server holding a stale key, a multi-account setup using aws-vault-style credential stores that mask ANTHROPIC_API_KEY. Text PJ a sentence about your setup; if it's recognizable, you'll get an answer in minutes. If not, no obligation — just operator-to-operator.

When to text PJ · vs. open a support ticket.

Both are free. The choice is about what kind of answer you need.

Text PJ when: you've walked the layers and want a sanity-check before opening a ticket, you suspect a config issue specific to your dev setup (MCP, multi-account, corporate proxy), or you're running Claude Code in production and need a faster turnaround than Anthropic support's 24-48hr SLA.

Open an Anthropic support ticket when: the curl smoke-test returns 403 with no obvious cause, you suspect an account-level abuse flag, or you need an official answer about model availability / region support. Anthropic's the only one who can clear flags or grant model access.

Why "Claude Code 403" is an operator-translation problem.

"Request failed with status code 403" tells you nothing about which of five completely different problems you're hitting. The HTTP layer is honest — server says "no" — but the cause lives one layer up: in your account, your workspace, your region, your model access, or your usage pattern.

Most "Claude Code 403" Stack Overflow / GitHub answers chase the wrong layer. They assume API key (Layer 1) when the real cause is workspace permission (Layer 2) or model gate (Layer 4). The translation is: "403 means the request landed and the answer was no — figure out who said no, not how to retry."

This is the same pattern as Salesforce 401, Stripe 402, or Twilio 21610. The status code is a header on a deeper question: which layer of permission failed? Every API has a 5-ish-layer permission stack; the fix is always the same recipe — walk the layers in order, don't guess.

Claude Code didn't break.
Your permission to act got rejected.
Walk the layers in order — the fix is almost always layer 1 or 2.

Stuck on a Claude Code 403?

If you've walked the 5 layers and the 403 is still firing, text the actual response body + which layers you've ruled out. Operator opinion, not Anthropic support — but I'll usually beat their SLA. Free either way.

Text PJ · 858-461-8054