Netlify CLI deploy "Not authorized" (token missing) in CI
The Netlify CLI could not authenticate non-interactively: "Not authorized to access this resource" means NETLIFY_AUTH_TOKEN is missing or expired, or NETLIFY_SITE_ID refers to a site the token cannot reach. The CLI cannot prompt for a login in CI.
What this error means
netlify deploy fails with "Error: Not authorized to access this resource" (or a 401). Local deploys using a saved login work; CI without the token env var does not.
Error: Not authorized to access this resource
at ... (netlify-cli)
# NETLIFY_AUTH_TOKEN unset or expired, or NETLIFY_SITE_ID not accessible by this tokenCommon causes
NETLIFY_AUTH_TOKEN is missing or expired
The CLI reads a personal access token from NETLIFY_AUTH_TOKEN. If it is unset in the job or has been revoked, the deploy is unauthorized.
The token cannot access the target site
A valid token belonging to a user without access to the NETLIFY_SITE_ID site is rejected for that resource.
How to fix it
Provide the token and site id via env
- Create a Netlify personal access token.
- Store it and the site id as secrets.
- Expose them as NETLIFY_AUTH_TOKEN and NETLIFY_SITE_ID to the deploy step.
- name: Deploy to Netlify
run: npx netlify deploy --prod --dir=dist
env:
NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }}
NETLIFY_SITE_ID: ${{ secrets.NETLIFY_SITE_ID }}Confirm the token and site with status
Run netlify status to verify the token authenticates and can see the site before deploying.
npx netlify statusHow to prevent it
- Set NETLIFY_AUTH_TOKEN from a secret in every deploy job.
- Store NETLIFY_SITE_ID for the correct site.
- Rotate the token in one place and update the secret.