Failure Index / Auth & permissions · critical · LangChain · OpenAI Agents SDK · CrewAI

Agent tool call fails with HTTP 403 Forbidden

The credentials were accepted, but they lack permission for this specific operation. Unlike a 401, the key is valid — it just cannot do what the agent asked.

The error

ToolError: 403 forbidden agent
langchain tool 403 permission denied
agent api call forbidden insufficient scope

Root cause

The API key or OAuth grant is missing the required scope or role for this action. Common with least-privilege keys created for reads that an agent later uses for writes, or OAuth consent screens that never requested the needed scope.

The fix

Check the provider's docs for the scope this exact operation needs, then grant it to the key or re-run the OAuth consent flow including it. Do not swap in an admin key as the fix — scope the permission to the operation.

Preventing it next time

List each tool's required scopes next to its definition, and test agents with the same restricted keys they will use in production, not with admin keys.

Stop debugging this by hand. Vorlo watches your agent and, when this failure happens, hands you the diagnosis and the fix — verified by developers who hit it before you — in your dashboard, Slack, or your editor. Two lines of code: pip install vorlo-trace · npm install vorlo-trace. Start free

Related failures