[ADP-202] Not Found v.s. Forbidden

Guidance

• The server SHOULD return a 404: Not Found status code when the requested resource cannot be found. This indicates that the server has not found anything matching the Request-URI.

• If the user has no permission to read the parent resource info, the server SHOULD return a 403: Forbidden status code, even if the resource is absent. This is to ensure that the user is aware of their lack of access rights, rather than simply indicating that the resource does not exist.

Example

• Attempting to access api.server.dev/group/${group-id}/users/${user-id} may result in a 403 response if the request authorization lacks permission to access /group/${group-id}/users.

References

• RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content
• Google AIP-211