diff --git a/jupyterhub/apihandlers/users.py b/jupyterhub/apihandlers/users.py
index 75a60986..2d5ccfab 100644
--- a/jupyterhub/apihandlers/users.py
+++ b/jupyterhub/apihandlers/users.py
@@ -336,7 +336,7 @@ class UserTokenListAPIHandler(APIHandler):
         scope_filter = self.get_scope_filter('users:tokens')
         if user is None or not scope_filter(user, kind):
             raise web.HTTPError(
-                404,
+                403,
                 f"{kind.title()} {user_name} not found or no permissions to generate tokens",
             )
 
diff --git a/jupyterhub/tests/test_api.py b/jupyterhub/tests/test_api.py
index 1029b728..9bd66be9 100644
--- a/jupyterhub/tests/test_api.py
+++ b/jupyterhub/tests/test_api.py
@@ -1310,8 +1310,8 @@ async def test_get_new_token(app, headers, status, note, expires_in):
     "as_user, for_user, status",
     [
         ('admin', 'other', 200),
-        ('admin', 'missing', 404),
-        ('user', 'other', 404),
+        ('admin', 'missing', 403),
+        ('user', 'other', 403),
         ('user', 'user', 200),
     ],
 )