diff --git a/src/cargo/sources/registry/http_remote.rs b/src/cargo/sources/registry/http_remote.rs
index 05920eab11e..e99599da128 100644
--- a/src/cargo/sources/registry/http_remote.rs
+++ b/src/cargo/sources/registry/http_remote.rs
@@ -163,6 +163,7 @@ enum StatusCode {
     NotModified,
     NotFound,
     Unauthorized,
+    Forbidden,
 }
 
 /// Represents a complete [`Download`] from an HTTP request.
@@ -315,6 +316,7 @@ impl<'cfg> HttpRegistry<'cfg> {
                     200 => StatusCode::Success,
                     304 => StatusCode::NotModified,
                     401 => StatusCode::Unauthorized,
+                    403 => StatusCode::Forbidden,
                     404 | 410 | 451 => StatusCode::NotFound,
                     _ => {
                         return Err(HttpNotSuccessful::new_from_handle(
@@ -546,7 +548,7 @@ impl<'cfg> RegistryData for HttpRegistry<'cfg> {
                     // The crate was not found or deleted from the registry.
                     return Poll::Ready(Ok(LoadResponse::NotFound));
                 }
-                StatusCode::Unauthorized
+                StatusCode::Unauthorized | StatusCode::Forbidden
                     if !self.auth_required
                         && path == Path::new(RegistryConfig::NAME)
                         && self.config.cli_unstable().registry_auth =>
@@ -576,7 +578,7 @@ impl<'cfg> RegistryData for HttpRegistry<'cfg> {
                     }
                     self.auth_error_headers = result.header_map.all;
                 }
-                StatusCode::Unauthorized => {
+                StatusCode::Unauthorized | StatusCode::Forbidden => {
                     let err = Err(HttpNotSuccessful {
                         code: 401,
                         body: result.data,
diff --git a/src/doc/src/reference/unstable.md b/src/doc/src/reference/unstable.md
index df9fb8ae779..da9f6c9506b 100644
--- a/src/doc/src/reference/unstable.md
+++ b/src/doc/src/reference/unstable.md
@@ -967,9 +967,9 @@ To use this feature, the registry server must include `"auth-required": true` in
 `config.json`, and you must pass the `-Z registry-auth` flag on the Cargo command line.
 
 When using the sparse protocol, Cargo will attempt to fetch the `config.json` file before
-fetching any other files. If the server responds with an HTTP 401, then Cargo will assume
-that the registry requires authentication and re-attempt the request for `config.json`
-with the authentication token included.
+fetching any other files. If the server responds with an HTTP status code of 401 or 403, 
+then Cargo will assume that the registry requires authentication and re-attempt the
+request for `config.json` with the authentication token included.
 
 On authentication failure (or missing authentication token) the server MAY include a
 `WWW-Authenticate` header with a `Cargo login_url` challenge to indicate where the user