diff --git a/awx/api/serializers.py b/awx/api/serializers.py
index 36b4f5413b..da0a479b20 100644
--- a/awx/api/serializers.py
+++ b/awx/api/serializers.py
@@ -1887,12 +1887,14 @@ class CredentialTypeSerializer(BaseSerializer):
 
     def validate(self, attrs):
         if self.instance and self.instance.managed_by_tower:
-            raise serializers.ValidationError(
-                {"detail": _("Modifications not allowed for credential types managed by Tower")})
+            raise PermissionDenied(
+                detail=_("Modifications not allowed for credential types managed by Tower")
+            )
         if self.instance and self.instance.credentials.exists():
             if 'inputs' in attrs and attrs['inputs'] != self.instance.inputs:
-                raise serializers.ValidationError(
-                    {"inputs": _("Modifications to inputs are not allowed for credential types that are in use")})
+                raise PermissionDenied(
+                    detail= _("Modifications to inputs are not allowed for credential types that are in use")
+                )
         fields = attrs.get('inputs', {}).get('fields', [])
         for field in fields:
             if field.get('ask_at_runtime', False):
diff --git a/awx/api/views.py b/awx/api/views.py
index ebecc6947c..1fb87ff7d7 100644
--- a/awx/api/views.py
+++ b/awx/api/views.py
@@ -1590,8 +1590,10 @@ class CredentialTypeDetail(RetrieveUpdateDestroyAPIView):
 
     def destroy(self, request, *args, **kwargs):
         instance = self.get_object()
-        if instance.managed_by_tower or instance.credentials.exists():
-            raise PermissionDenied(detail=_("Credential types that are in use cannot be deleted."))
+        if instance.managed_by_tower:
+            raise PermissionDenied(detail=_("Deletion not allowed for credential types managed by Tower"))
+        if instance.credentials.exists():
+            raise PermissionDenied(detail=_("Credential types that are in use cannot be deleted"))
         return super(CredentialTypeDetail, self).destroy(request, *args, **kwargs)
 
 
diff --git a/awx/main/tests/functional/api/test_credential_type.py b/awx/main/tests/functional/api/test_credential_type.py
index 86f9ad8d60..a43b864d7b 100644
--- a/awx/main/tests/functional/api/test_credential_type.py
+++ b/awx/main/tests/functional/api/test_credential_type.py
@@ -50,7 +50,7 @@ def test_update_managed_by_tower_xfail(patch, delete, admin):
     ssh.save()
     url = reverse('api:credential_type_detail', kwargs={'pk': ssh.pk})
     response = patch(url, {'name': 'Some Other Name'}, admin)
-    assert response.status_code == 400
+    assert response.status_code == 403
     assert delete(url, admin).status_code == 403
 
 
@@ -67,7 +67,7 @@ def test_update_credential_type_in_use_xfail(patch, delete, admin):
 
     url = reverse('api:credential_type_detail', kwargs={'pk': ssh.pk})
     response = patch(url, {'inputs': {}}, admin)
-    assert response.status_code == 400
+    assert response.status_code == 403
 
     assert delete(url, admin).status_code == 403