diff --git a/cmd/engines_acp_ory_allowed.go b/cmd/engines_acp_ory_allowed.go
index 44e2f8896..a01d10d2d 100644
--- a/cmd/engines_acp_ory_allowed.go
+++ b/cmd/engines_acp_ory_allowed.go
@@ -22,7 +22,6 @@ import (
 
 	"github.com/ory/keto/cmd/client"
 	"github.com/ory/keto/sdk/go/keto/swagger"
-	"github.com/ory/keto/x"
 	"github.com/ory/x/cmdx"
 )
 
@@ -40,9 +39,12 @@ var enginesAcpOryAllowedCmd = &cobra.Command{
 			Resource: args[2],
 			Action:   args[3],
 		})
-		x.CheckResponse(err, http.StatusOK, res)
+		cmdx.Must(err, "Command failed because error occurred: %s", err)
+
+		if res.StatusCode != http.StatusOK && res.StatusCode != http.StatusForbidden {
+			cmdx.Fatalf("Expected status code %d or %d but got: %d", http.StatusOK, http.StatusForbidden, res.StatusCode)
+		}
 
-		cmdx.Must(err, "Unable to decode data to json: %s", err)
 		fmt.Println(cmdx.FormatResponse(&a))
 	},
 }
diff --git a/engine/engine.go b/engine/engine.go
index 168e0d3b5..602c31ccc 100644
--- a/engine/engine.go
+++ b/engine/engine.go
@@ -47,7 +47,12 @@ func (h *Engine) Evaluate(e evaluator) httprouter.Handle {
 			return
 		}
 
-		h.h.Write(w, r, &AuthorizationResult{Allowed: allowed})
+		code := http.StatusOK
+		if !allowed {
+			code = http.StatusForbidden
+		}
+
+		h.h.WriteCode(w, r, code, &AuthorizationResult{Allowed: allowed})
 	}
 }
 
diff --git a/engine/ladon/handler_test.go b/engine/ladon/handler_test.go
index 0d984341e..6e49f984a 100644
--- a/engine/ladon/handler_test.go
+++ b/engine/ladon/handler_test.go
@@ -62,7 +62,11 @@ func TestAllowed(t *testing.T) {
 				for k, c := range requests[f] {
 					t.Run(fmt.Sprintf("case=%d", k), func(t *testing.T) {
 						d, res, err := cl.DoOryAccessControlPoliciesAllow(f, c.req)
-						x.CheckResponseTest(t, err, http.StatusOK, res)
+						if c.allowed {
+							x.CheckResponseTest(t, err, http.StatusOK, res)
+						} else {
+							x.CheckResponseTest(t, err, http.StatusForbidden, res)
+						}
 						assert.Equal(t, c.allowed, d.Allowed)
 					})
 				}