diff --git a/packages/core/src/middleware/koa-auth.test.ts b/packages/core/src/middleware/koa-auth.test.ts
index 483513c4d..e5b03ea36 100644
--- a/packages/core/src/middleware/koa-auth.test.ts
+++ b/packages/core/src/middleware/koa-auth.test.ts
@@ -22,6 +22,19 @@ describe('koaAuth middleware', () => {
   };
 
   const unauthorizedError = new RequestError({ code: 'auth.unauthorized', status: 401 });
+  const jwtSubMissingError = new RequestError({ code: 'auth.jwt_sub_missing', status: 401 });
+  const authHeaderMissingError = new RequestError({
+    code: 'auth.authorization_header_missing',
+    status: 401,
+  });
+  const tokenNotSupportedError = new RequestError(
+    {
+      code: 'auth.authorization_token_type_not_supported',
+      status: 401,
+    },
+    { supportedTypes: ['Bearer'] }
+  );
+  const forbiddenError = new RequestError({ code: 'auth.forbidden', status: 403 });
 
   const next = jest.fn();
 
@@ -67,7 +80,7 @@ describe('koaAuth middleware', () => {
   });
 
   it('expect to throw if authorization header is missing', async () => {
-    await expect(koaAuth()(ctx, next)).rejects.toMatchError(unauthorizedError);
+    await expect(koaAuth()(ctx, next)).rejects.toMatchError(authHeaderMissingError);
   });
 
   it('expect to throw if authorization header token type not recognized ', async () => {
@@ -78,7 +91,9 @@ describe('koaAuth middleware', () => {
       },
     };
 
-    await expect(koaAuth()(ctx, next)).rejects.toMatchError(unauthorizedError);
+    console.log('????????????????', tokenNotSupportedError);
+
+    await expect(koaAuth()(ctx, next)).rejects.toMatchError(tokenNotSupportedError);
   });
 
   it('expect to throw if jwt sub is missing', async () => {
@@ -92,7 +107,7 @@ describe('koaAuth middleware', () => {
       },
     };
 
-    await expect(koaAuth()(ctx, next)).rejects.toMatchError(unauthorizedError);
+    await expect(koaAuth()(ctx, next)).rejects.toMatchError(jwtSubMissingError);
   });
 
   it('expect to throw if jwt role_names is missing', async () => {
@@ -106,7 +121,7 @@ describe('koaAuth middleware', () => {
       },
     };
 
-    await expect(koaAuth(UserRole.Admin)(ctx, next)).rejects.toMatchError(unauthorizedError);
+    await expect(koaAuth(UserRole.Admin)(ctx, next)).rejects.toMatchError(forbiddenError);
   });
 
   it('expect to throw if jwt role_names does not include admin', async () => {
@@ -122,6 +137,21 @@ describe('koaAuth middleware', () => {
       },
     };
 
-    await expect(koaAuth(UserRole.Admin)(ctx, next)).rejects.toMatchError(unauthorizedError);
+    await expect(koaAuth(UserRole.Admin)(ctx, next)).rejects.toMatchError(forbiddenError);
+  });
+
+  it('expect to throw unauthorized error if unknown error occurs', async () => {
+    const mockJwtVerify = jwtVerify as jest.Mock;
+    mockJwtVerify.mockImplementationOnce(() => {
+      throw new Error('unknown error');
+    });
+    ctx.request = {
+      ...ctx.request,
+      headers: {
+        authorization: 'Bearer access_token',
+      },
+    };
+
+    await expect(koaAuth()(ctx, next)).rejects.toMatchError(unauthorizedError);
   });
 });
diff --git a/packages/core/src/middleware/koa-auth.ts b/packages/core/src/middleware/koa-auth.ts
index c3ab74d29..9014f8677 100644
--- a/packages/core/src/middleware/koa-auth.ts
+++ b/packages/core/src/middleware/koa-auth.ts
@@ -70,12 +70,15 @@ export default function koaAuth<StateT, ContextT extends IRouterParamContext, Re
       if (forRole) {
         assertThat(
           roleNames?.includes(forRole),
-          new RequestError({ code: 'auth.unauthorized', status: 401 })
+          new RequestError({ code: 'auth.forbidden', status: 403 })
         );
       }
 
       ctx.auth = sub;
-    } catch {
+    } catch (error: unknown) {
+      if (error instanceof RequestError) {
+        throw error;
+      }
       throw new RequestError({ code: 'auth.unauthorized', status: 401 });
     }
 
diff --git a/packages/phrases/src/locales/en.ts b/packages/phrases/src/locales/en.ts
index 3403c104a..75f463ef0 100644
--- a/packages/phrases/src/locales/en.ts
+++ b/packages/phrases/src/locales/en.ts
@@ -571,6 +571,7 @@ const errors = {
     authorization_header_missing: 'Authorization header is missing.',
     authorization_token_type_not_supported: 'Authorization type is not supported.',
     unauthorized: 'Unauthorized. Please check credentials and its scope.',
+    forbidden: 'Forbidden. Please check your user roles and permissions.',
     jwt_sub_missing: 'Missing `sub` in JWT.',
   },
   guard: {
diff --git a/packages/phrases/src/locales/zh-cn.ts b/packages/phrases/src/locales/zh-cn.ts
index 20b497e76..430c82169 100644
--- a/packages/phrases/src/locales/zh-cn.ts
+++ b/packages/phrases/src/locales/zh-cn.ts
@@ -554,6 +554,7 @@ const errors = {
     authorization_header_missing: 'Authorization 请求 header 遗漏。',
     authorization_token_type_not_supported: '不支持的 authorization 类型。',
     unauthorized: '未授权。请检查相关 credentials 和 scope。',
+    forbidden: '禁止访问。请检查用户权限。',
     jwt_sub_missing: 'JWT 中找不到 `sub`。',
   },
   guard: {