Skip to content
Latchkey

Akamai purge by CP code fails "not authorized" in CI

A CP-code purge was denied: purging by CP code requires the API client to be authorized for that specific CP code. A 403 here means the client cannot act on the CP code, or the code value does not exist for the account.

What this error means

A POST to /ccu/v3/invalidate/cpcode returns HTTP 403, or the purge reports the CP code as not accessible. Purging by URL for the same content may still work if the client has broader URL scope.

Akamai CCU
{
  "type": "https://problems.luna.akamaiapis.net/-/pep-authz/deny",
  "title": "The client does not have authorization to access this resource.",
  "status": 403,
  "detail": "cpcode 123456 is not accessible for this API client"
}

Common causes

The client is not scoped to the CP code

CP-code purges are checked against the client's authorized CP codes; one outside its scope is denied.

The CP code value is wrong

A mistyped or stale CP code does not resolve to an object the account owns, so the request is rejected.

How to fix it

Authorize the client for the CP code

  1. In IAM, grant the API client access to the CP code group.
  2. Confirm the CP code value against the account.
  3. Re-run the CP-code purge.
Terminal
akamai purge --edgerc ./.edgerc invalidate --cpcode 123456

Fall back to purge by URL

If CP-code scope cannot be granted quickly, purge the specific URLs the client is authorized for.

Terminal
akamai purge --edgerc ./.edgerc invalidate https://www.example.com/app.js

How to prevent it

  • Scope the API client to the CP codes you purge.
  • Read CP code values from config, not typed literals.
  • Prefer URL or key purges when CP-code scope is not available.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →