In Consumer Data Standards (CDS), Client Authentication, if an API is invoked with insufficient permission or scopes, then is a 403 error with a resource
forbidden code an appropriate response or should a 4xx error with a general
error code be used as a response?
However, if the error behaviour is described by the upstream normative standard, then that standard takes precedence over the CDS. Hence please also refer to the oAuth specification for permissible error responses.