Failure Index / Auth & permissions · critical · LangChain · OpenAI Agents SDK · CrewAI
Agent tool call fails with HTTP 403 Forbidden
The credentials were accepted, but they lack permission for this specific operation. Unlike a 401, the key is valid — it just cannot do what the agent asked.
The error
ToolError: 403 forbidden agent
langchain tool 403 permission denied
agent api call forbidden insufficient scopeRoot cause
The API key or OAuth grant is missing the required scope or role for this action. Common with least-privilege keys created for reads that an agent later uses for writes, or OAuth consent screens that never requested the needed scope.
The fix
Check the provider's docs for the scope this exact operation needs, then grant it to the key or re-run the OAuth consent flow including it. Do not swap in an admin key as the fix — scope the permission to the operation.
Preventing it next time
List each tool's required scopes next to its definition, and test agents with the same restricted keys they will use in production, not with admin keys.
pip install vorlo-trace · npm install vorlo-trace. Start free