How to Resolve Pip "Error 403 Forbidden" While Installing Packages with Python pip
Encountering a 403 Forbidden error when trying to install a Python package with pip can bring your development workflow to a halt. This error means the server is actively refusing your request, and it can happen for a variety of reasons - from network restrictions to authentication issues.
In this guide, we'll break down the common causes, show you how to diagnose the problem, and walk through proven solutions with concrete examples.
What Does the 403 Error Look Like?
When this error occurs, you'll typically see output similar to this in your terminal:
$ pip install some-package
ERROR: Could not install packages due to an EnvironmentError: 403 Client Error: Forbidden for url: https://pypi.org/simple/some-package/
Or in some cases:
ERROR: HTTP error 403 while getting https://pypi.org/packages/...
What Causes the 403 Forbidden Error?
Before jumping into solutions, it's important to understand the possible root causes:
| Cause | Description |
|---|---|
| Proxy or firewall blocking | Corporate networks or firewalls intercept and block pip's HTTPS requests |
| IP-based rate limiting or blocking | PyPI or a mirror has temporarily blocked your IP due to excessive requests |
| Authentication required | Private package repositories require credentials that pip doesn't have |
| Outdated pip or Python | Older versions of pip may use deprecated TLS versions or request formats that servers reject |
| Incorrect repository URL | A typo or outdated index URL points to a non-existent or restricted resource |
| SSL/TLS issues | The server requires a newer TLS version than your environment supports |
Solutions
1. Update pip and Python
An outdated version of pip is one of the most common - and most easily fixed - causes of 403 errors. Older pip versions may use deprecated protocols or headers that modern servers reject.
# Upgrade pip to the latest version
python -m pip install --upgrade pip
Also verify your Python version:
python --version
Python 3.7 and earlier have reached end-of-life and may not support the TLS versions required by PyPI. If you're on an old Python version, upgrading Python itself may be the only fix.
2. Configure Proxy Settings
If you're behind a corporate network, VPN, or proxy server, pip's requests may be blocked before they ever reach PyPI. You need to tell pip how to route through your proxy.
Option A: Set environment variables
# Linux / macOS
export HTTP_PROXY="http://username:password@proxy.example.com:8080"
export HTTPS_PROXY="http://username:password@proxy.example.com:8080"
# Then run pip normally
pip install some-package
# Windows (PowerShell)
$env:HTTP_PROXY = "http://username:password@proxy.example.com:8080"
$env:HTTPS_PROXY = "http://username:password@proxy.example.com:8080"
pip install some-package
Option B: Pass the proxy directly to pip
pip install some-package --proxy http://username:password@proxy.example.com:8080
Option C: Set it permanently in pip's config file
Create or edit your pip configuration file:
- Linux/macOS:
~/.config/pip/pip.conf - Windows:
%APPDATA%\pip\pip.ini
[global]
proxy = http://username:password@proxy.example.com:8080
If you're unsure whether a proxy is involved, ask your network administrator or IT department. You can also test by running curl -v https://pypi.org to see if the connection is being intercepted.
3. Use a Trusted Host Flag
Some firewalls or proxy servers perform SSL inspection, which causes certificate verification to fail. While pip may report this as a 403 error, adding the --trusted-host flag can help:
pip install some-package --trusted-host pypi.org --trusted-host pypi.python.org --trusted-host files.pythonhosted.org
To make this permanent, add it to your pip config file:
[global]
trusted-host =
pypi.org
pypi.python.org
files.pythonhosted.org
Using --trusted-host disables SSL certificate verification for those domains. This bypasses an important security check. Only use this when you understand the network environment (e.g., a corporate proxy with SSL inspection).
4. Use an Alternative Package Index
If PyPI itself is blocked or rate-limiting your IP, you can use an official mirror:
pip install some-package -i https://pypi.tuna.tsinghua.edu.cn/simple/
Other popular mirrors:
| Mirror | URL |
|---|---|
| Tsinghua (China) | https://pypi.tuna.tsinghua.edu.cn/simple/ |
| Alibaba (China) | https://mirrors.aliyun.com/pypi/simple/ |
| USTC (China) | https://pypi.mirrors.ustc.edu.cn/simple/ |
| TestPyPI | https://test.pypi.org/simple/ |
To set a default index permanently:
# pip.conf or pip.ini
[global]
index-url = https://pypi.tuna.tsinghua.edu.cn/simple/
5. Configure Authentication for Private Repositories
If you're installing from a private package index (like Artifactory, Nexus, or a company-hosted repository), you must provide credentials.
Option A: Inline credentials in the URL
pip install some-package -i https://username:password@my.private.repo/simple/
Option B: Use a .pypirc file
This is primarily for uploading, but useful for reference.
# ~/.pypirc
[distutils]
index-servers =
pypi
private
[private]
repository = https://my.private.repo/simple/
username = myusername
password = mypassword
Option C: Use keyring for secure credential storage.
pip install keyring
keyring set https://my.private.repo/simple/ myusername
# You'll be prompted to enter the password securely
Then pip will automatically retrieve credentials when accessing that repository.
Option D: Use token-based authentication
Many private registries support API tokens instead of passwords:
pip install some-package -i https://__token__:your-api-token@my.private.repo/simple/
6. Check Your Firewall and Antivirus Settings
Desktop firewalls and antivirus software can silently block pip's network requests:
- Windows Defender Firewall: Ensure Python and pip are allowed through the firewall.
- Antivirus software: Some antivirus programs (like Kaspersky, Norton, or Bitdefender) intercept HTTPS traffic. Try temporarily disabling the web protection feature to test.
- Corporate firewalls: Contact your IT department to whitelist
pypi.org,pypi.python.org, andfiles.pythonhosted.org.
7. Clear pip's Cache
Corrupted cache entries can sometimes cause unexpected errors:
pip cache purge
Then retry the installation:
pip install some-package --no-cache-dir
Diagnostic Checklist
When you encounter a 403 error, work through this checklist systematically:
# 1. Check pip version
pip --version
# 2. Check Python version
python --version
# 3. Test basic connectivity to PyPI
curl -I https://pypi.org
# 4. Test with verbose output to see exactly where it fails
pip install some-package -vvv
# 5. Try without cache
pip install some-package --no-cache-dir
# 6. Try with an alternative index
pip install some-package -i https://pypi.tuna.tsinghua.edu.cn/simple/
The verbose flag (-vvv) is particularly useful because it shows the full HTTP request and response, helping you identify whether the issue is a proxy, authentication, or server-side problem.
Quick Reference: Solutions Summary
| Solution | Command / Action |
|---|---|
| Update pip | python -m pip install --upgrade pip |
| Set proxy | pip install pkg --proxy http://user:pass@proxy:port |
| Trusted host | pip install pkg --trusted-host pypi.org |
| Alternative mirror | pip install pkg -i https://mirror-url/simple/ |
| Private repo auth | pip install pkg -i https://user:pass@repo/simple/ |
| Clear cache | pip cache purge then pip install pkg --no-cache-dir |
| Verbose debugging | pip install pkg -vvv |
Conclusion
The 403 Forbidden error when using pip is almost always a network or authentication issue rather than a problem with the package itself.
Start by updating pip and checking whether you're behind a proxy or firewall. If the issue persists, try using an alternative package index, configuring trusted hosts, or providing authentication credentials for private repositories.
The -vvv verbose flag is your best friend for diagnosing exactly where the connection is being rejected.
By systematically working through these solutions, you'll be able to resolve the error and get back to installing packages.