When building a REST API there is always confusion when do we need to respond with unauthorized (401) and when do we need to respond with Forbidden (403). If the integration team doesn’t aware of the status codes, it would cause ambiguity when dealing with the REST APIs.
UnAuthorized (401) status code
This is recommended to use when the token is invalid or the API couldn’t able to identify/authenticate the user request. When REST API responded with a 401 status code, we need to verify whether the token is valid or expired.
Forbidden (403) status code
This is recommended to use when the token is valid but the user request doesn’t have privilege to access the requested resource/endpoint.