diff --git a/pkg/api/controller.go b/pkg/api/controller.go
index 3bb83e2b82d..847ff007185 100644
--- a/pkg/api/controller.go
+++ b/pkg/api/controller.go
@@ -5947,11 +5947,15 @@ func (c *Controller) authorizeCallback(w http.ResponseWriter, r *http.Request, p
 		return false
 	}
 	if resp.Error != nil {
-		cb(w, r, http.StatusUnauthorized, resp.Error)
+		cb(w, r, http.StatusForbidden, resp.Error)
 		return false
 	}
 	if !resp.Allowed {
-		cb(w, r, http.StatusInternalServerError, "User does not have the required permissions")
+		msg := "User does not have the required permissions"
+		if resp.Error != nil {
+			msg = resp.Error.Error()
+		}
+		cb(w, r, http.StatusForbidden, msg)
 		return false
 	}
 	return true
diff --git a/pkg/gateway/middleware.go b/pkg/gateway/middleware.go
index 0544d3d4895..30070c60e76 100644
--- a/pkg/gateway/middleware.go
+++ b/pkg/gateway/middleware.go
@@ -200,7 +200,7 @@ func EnrichWithRepositoryOrFallback(c *catalog.Catalog, authService auth.Gateway
 				},
 			})
 			if authErr != nil || authResp.Error != nil || !authResp.Allowed {
-				_ = o.EncodeError(w, req, err, gatewayerrors.ErrAccessDenied.ToAPIErr())
+				_ = o.EncodeError(w, req, authErr, gatewayerrors.ErrAccessDenied.ToAPIErr())
 				return
 			}
 			if fallbackProxy != nil {