--- title: Denied Reason description: Use denied-reason to allow a policy writer to provide an error message that contains the reason for denying a request. component: pingauthorize version: 9.3 page_id: pingauthorize:pingauthorize_policy_administration_guide:paz_denied_reason canonical_url: https://docs.pingidentity.com/pingauthorize/9.3/pingauthorize_policy_administration_guide/paz_denied_reason.html revdate: June 30, 2023 --- # Denied Reason Use `denied-reason` to allow a policy writer to provide an error message that contains the reason for denying a request. | Description | Details | | ---------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Applicable to | DENY decisions The Denied Reason statement only applies to SCIM searches using the optimized search response authorization mode. | | Additional information | The payload for Denied Reason statements is a JSON object string with the following fields:- `status` – Contains the HTTP status code returned to the client. If this field is absent, the default status is 403 Forbidden. - `message` – Contains a short error message returned to the client. - `detail` (optional) – Contains additional, more detailed error information.The following example shows a possible response for a request made with insufficient scope:`{"status":403, "message":"insufficient_scope", "detail":"Requested operation not allowed by the granted OAuth scopes."}` |