Akamai purge by CP code fails "not authorized" in CI
A CP-code purge was denied: purging by CP code requires the API client to be authorized for that specific CP code. A 403 here means the client cannot act on the CP code, or the code value does not exist for the account.
What this error means
A POST to /ccu/v3/invalidate/cpcode returns HTTP 403, or the purge reports the CP code as not accessible. Purging by URL for the same content may still work if the client has broader URL scope.
{
"type": "https://problems.luna.akamaiapis.net/-/pep-authz/deny",
"title": "The client does not have authorization to access this resource.",
"status": 403,
"detail": "cpcode 123456 is not accessible for this API client"
}Common causes
The client is not scoped to the CP code
CP-code purges are checked against the client's authorized CP codes; one outside its scope is denied.
The CP code value is wrong
A mistyped or stale CP code does not resolve to an object the account owns, so the request is rejected.
How to fix it
Authorize the client for the CP code
- In IAM, grant the API client access to the CP code group.
- Confirm the CP code value against the account.
- Re-run the CP-code purge.
akamai purge --edgerc ./.edgerc invalidate --cpcode 123456Fall back to purge by URL
If CP-code scope cannot be granted quickly, purge the specific URLs the client is authorized for.
akamai purge --edgerc ./.edgerc invalidate https://www.example.com/app.jsHow to prevent it
- Scope the API client to the CP codes you purge.
- Read CP code values from config, not typed literals.
- Prefer URL or key purges when CP-code scope is not available.