Errors

DSAR-BE-1003: AUTH_REQUEST_ACCESS_FORBIDDEN

Alpha

DSAR is currently in alpha. APIs, package surfaces, configuration, and documentation may change as the project evolves.

Meaning

The caller is authenticated, but the resolved principal is not allowed to access the requested route or DSAR record.

Probable Causes

A subject principal attempted to use a staff-only route.
A subject principal tried to read or mutate another subject's request.
Principal-kind mapping in your bearer resolver or trusted identity projection is incorrect.

How to Fix

Verify the caller resolves to the correct principalKind for the route.
For subject portals, authenticate the subject in the host app and project the matching subject identity to DSAR.
Ensure the request actually belongs to the subject before calling subject-owned routes.

Retryable

No. Retry only after changing the caller identity, principal kind, or target resource.

Minimal Trigger Example

GET /api/v1/requests/req-other HTTP/1.1
Host: localhost:4086
Authorization: Bearer subject-token