Skip to content
docsv0.1.0

ScopeDeniedException

The 403 signal that a request authenticated fine but is not *allowed* here — it holds none of the scopes the route requires. Distinct from the 401s on purpose: the caller is known, they simply lack permission, and re-authenticating will not help. The message names the required scopes (the developer's own policy, never a secret) so the fix is obvious: grant the actor one of them, or guard the route with a scope the actor already holds.

ScopeDeniedException::forRequiredScopes()

public static function forRequiredScopes(array $required): self

Builds the denial for a route that required one of `$required` and the actor held none of them.

Parameters

Parameters of forRequiredScopes()
NameTypeDescription
$requiredlist<string>the scopes any one of which would have satisfied the guard