PG
PostgreSQLSQLiteMariaDB
pgref.dev/sqlite/errors/SQLITE_AUTH
SQLITE_AUTHERRORTier 2 — Caution✅ HIGH confidence

not authorized

Category: Access ControlVersions: All SQLite versions

What this means

SQLITE_AUTH (result code 23) is returned when an authorizer callback (registered via sqlite3_set_authorizer()) denies permission for a specific SQL operation. SQLite itself has no built-in user/role permission system — this error only appears when the application explicitly installs an authorizer to restrict what SQL can be executed, a common pattern in embedded scripting and untrusted query environments.

Why it happens

  1. 1The application registered an authorizer callback that returns SQLITE_DENY for the attempted operation
  2. 2A security wrapper around SQLite is blocking DDL operations (CREATE, DROP) from untrusted input
  3. 3Read-only authorizer blocks an INSERT, UPDATE, or DELETE

How to reproduce

An authorizer callback blocks all write operations.

trigger — this will ERROR
import sqlite3

conn = sqlite3.connect(':memory:')
conn.execute('CREATE TABLE t (x INTEGER)')

def authorizer(action, arg1, arg2, db_name, trigger):
    import sqlite3 as _sqlite3
    if action == _sqlite3.SQLITE_INSERT:
        return _sqlite3.SQLITE_DENY  # block all inserts
    return _sqlite3.SQLITE_OK

conn.set_authorizer(authorizer)
conn.execute('INSERT INTO t VALUES (1)')  # triggers SQLITE_AUTH
sqlite3.DatabaseError: not authorized

Fix 1: Adjust the authorizer callback logic

When a legitimate operation is being incorrectly blocked.

fix
def authorizer(action, arg1, arg2, db_name, trigger):
    import sqlite3 as _sqlite3
    # Allow reads, block writes from untrusted path
    if action in (_sqlite3.SQLITE_INSERT, _sqlite3.SQLITE_UPDATE, _sqlite3.SQLITE_DELETE):
        if db_name == 'untrusted':
            return _sqlite3.SQLITE_DENY
    return _sqlite3.SQLITE_OK

Why this works

The authorizer callback receives the action code and object names. Returning SQLITE_DENY blocks the operation; SQLITE_OK allows it; SQLITE_IGNORE suppresses the column access without error. Refine the logic to allow legitimate operations.

What not to do

Remove the authorizer entirely to fix the error

Why it's wrong: If the authorizer was installed deliberately (e.g., to sandbox untrusted SQL), removing it defeats the security layer.

Version notes

All versionsSQLITE_AUTH is only raised if sqlite3_set_authorizer() has been called. Standard SQLite applications without an authorizer will never see this error.

Sources

📚 Official docs: https://www.sqlite.org/rescode.html#auth

🔧 Source ref: sqlite3.h — SQLITE_AUTH = 23

📖 Further reading: sqlite3_set_authorizer() documentation

Confidence assessment

✅ HIGH confidence

Stable. Authorizer callback semantics are well-documented in the C API reference.

See also

📄 Reference pages

sqlite3_set_authorizerSQLite security
⚙️ This error reference was generated with AI assistance and reviewed for accuracy. Examples are provided to illustrate common scenarios and may not cover every case. Always test fixes in a development environment before applying to production. Spotted an error? Suggest a correction →
All SQLite errors