ScopeDeniedException
The 403 signal that a request authenticated fine but is not *allowed* here — it holds none of the scopes the route requires. Distinct from the 401s on purpose: the caller is known, they simply lack permission, and re-authenticating will not help. The message names the required scopes (the developer's own policy, never a secret) so the fix is obvious: grant the actor one of them, or guard the route with a scope the actor already holds.
ScopeDeniedException::forRequiredScopes()
public static function forRequiredScopes(array $required): selfBuilds the denial for a route that required one of `$required` and the actor held none of them.
Parameters
| Name | Type | Description |
|---|---|---|
| $required | list<string> | the scopes any one of which would have satisfied the guard |