What is the difference between a 401 and 403 from the Anthropic API?

A 401 authentication_error means your API key is invalid, missing, or not yet active — the API doesn't recognize who you are. A 403 permission_error means your key is valid and recognized, but it does not have permission to do what you're asking — the API knows who you are but won't allow the action. The fix for 401 is to check your key; the fix for 403 is to check what your key or account is permitted to access.

Why does the Anthropic API return 403 when I try to use Claude Opus?

Claude Opus is only available at certain API usage tiers. If your account has not reached the spend threshold or time-based qualification for Opus access, calls to claude-opus-4 or similar will return a 403 permission_error. You can check your current tier in console.anthropic.com under Settings > Billing. To unlock Opus access, you typically need to have been actively using the API and/or meet a minimum spend threshold.

What beta features require a special header in the Anthropic API?

Anthropic gates certain features behind the anthropic-beta header. Examples include extended thinking (anthropic-beta: interleaved-thinking-2025-05-14), extended output (anthropic-beta: output-128k-2025-02-19), and others. Calling a beta feature without the correct header value returns a 403. The required header value is documented in Anthropic's feature-specific documentation pages.

Can a workspace admin restrict which models an API key can access?

Yes. Anthropic workspace admins can create API keys with restricted model access via the console. If your key was created by an admin with a model allowlist or denylist, requests to restricted models return a 403 permission_error. Check with your admin or review the key's settings in console.anthropic.com/settings/keys to see if restrictions are applied.

Anthropic API `permission_error` (HTTP 403): 5 causes in diagnostic order

HTTP 403 from the Anthropic API means your key is valid — the API recognized your authentication — but the specific action you're requesting is not permitted for your key, account tier, or workspace configuration. This is different from a 401 (bad key) and requires a different set of checks. This page covers the five causes in the order you should diagnose them.

The 30-second answer

403 ≠ bad key. Your key works. Something about the specific request is not allowed.
Most common cause: trying to access a model (e.g., claude-opus-4) that your account tier doesn't have access to yet.
Second most common: calling a beta feature without the required anthropic-beta header.
In a workspace: an admin may have restricted your key's model access.

What the error looks like

HTTP/1.1 403 Forbidden
{
  "type": "error",
  "error": {
    "type": "permission_error",
    "message": "Your API key does not have permission to use the specified resource."
  }
}

The message field varies slightly depending on the specific restriction. You may also see messages referencing model access, beta feature requirements, or workspace policy. In the Anthropic Python SDK this raises an anthropic.PermissionDeniedError. In the Node SDK it's a PermissionDeniedError.

Cause 1: Model not available at your API tier

Anthropic gates access to certain models — in particular Claude Opus — behind API usage tiers. New accounts or accounts below the spend threshold cannot call high-tier models, even with a valid API key.

To check your current tier: go to console.anthropic.com/settings/billing and look at the "Usage tier" section. Tier 1 (new accounts) does not have access to Opus. Tier 2 and above gain progressively broader model access.

Fix: use a model you have access to (claude-haiku-4-5 and claude-sonnet-4-5 are accessible at lower tiers). To unlock Opus, meet the tier threshold requirements — typically a combination of time using the API and cumulative spend. You cannot pay to jump tiers immediately; the progression is automatic as you use the API.

Current tier access by model (as of June 2026 — verify in Anthropic's docs as this changes):

Model	Minimum tier
claude-haiku-4-5	Tier 1
claude-sonnet-4-5	Tier 1
claude-opus-4	Tier 2+

Cause 2: Beta feature without the required header

Anthropic releases some capabilities in beta behind the anthropic-beta request header. If you call an endpoint or use a parameter that requires a beta flag without providing the header, you receive a 403.

Common beta features and their required header values:

Feature	Required header
Extended thinking / interleaved thinking	`anthropic-beta: interleaved-thinking-2025-05-14`
Extended output (128k tokens)	`anthropic-beta: output-128k-2025-02-19`
Files API	`anthropic-beta: files-api-2025-04-14`
Message batches	`anthropic-beta: message-batches-2024-09-24`

Fix: add the anthropic-beta header with the correct value for the feature you're using. These values are documented in Anthropic's feature-specific documentation pages. If using the official SDK, set it via the extra_headers parameter:

# Python SDK
client = anthropic.Anthropic()
response = client.messages.create(
    model="claude-sonnet-4-5-20251022",
    max_tokens=16000,
    thinking={"type": "enabled", "budget_tokens": 10000},
    messages=[...],
    extra_headers={"anthropic-beta": "interleaved-thinking-2025-05-14"}
)

Cause 3: Workspace API key with model restrictions

Anthropic workspace admins can create API keys restricted to specific models. If your key was provisioned by an org admin with model allowlist or denylist settings, requests to restricted models return 403 regardless of your account tier.

How to check: go to console.anthropic.com/settings/keys. If you see a "Restrictions" field on your key showing specific models, that is the active constraint.

Fix: either request a new key from your admin with the models you need, or ask the admin to update the existing key's restrictions. If you're the admin: edit the key in the console and adjust the model access settings.

Cause 4: Key created before a feature was available (stale key permissions)

Occasionally, API keys created before Anthropic launched a specific feature or tier may not automatically inherit access to that feature. This is rare but has been reported for some enterprise features and early beta programs.

Fix: generate a new API key from your current account. New keys reflect the current state of your account's entitlements. If the new key still returns 403 for the same request, the issue is the account tier (Cause 1) rather than a stale key.

Cause 5: Organizational policy or IP allowlist restriction

Enterprise Anthropic accounts may have organizational controls in place — IP allowlists, geographic restrictions, or service account policies — that block specific API key usage from certain environments. This typically manifests as a 403 that appears in some environments (a development machine, a cloud provider's IP range) but not others.

How to diagnose: test the same key from a different network or environment. If the request succeeds elsewhere, the issue is a network-level or organizational restriction rather than the key itself.

Fix: work with your organization's Anthropic admin to adjust IP allowlists, or use an environment that is within the allowed network policy.

Quick diagnostic checklist

Check the exact message field in the error JSON — it often names the specific resource you lack access to.
Does the error occur with a different, lower-tier model? If yes → Cause 1 (model tier).
Does the request use a beta parameter (thinking, betas, extended max_tokens)? If yes → Cause 2 (missing beta header).
Was your key created by an admin? If yes → Cause 3 (workspace restriction).
Does the error only occur from a specific environment? If yes → Cause 5 (network policy).
None of the above → regenerate the key (Cause 4).

Last updated June 8, 2026. API tier thresholds and beta feature header values are subject to change — verify against current Anthropic documentation.

Anthropic API permission_error (HTTP 403): 5 causes in diagnostic order