Skip to content
Latchkey

dotnet nuget push 403 invalid or forbidden API key in CI

A 403 on push means the feed accepted the request but the API key is not permitted to publish: it is missing, wrong, expired, or scoped without push rights. Retrying will not help until the key is fixed.

What this error means

push fails with "Response status code does not indicate success: 403 (Forbidden)" or "The specified API key is invalid, has expired, or does not have permission".

dotnet
error: Response status code does not indicate success: 403 (Forbidden).
      The specified API key is invalid, has expired, or does not have permission to
      access the specified package.

Common causes

The API key is missing, wrong, or expired

The --api-key value was not injected, points at the wrong feed, or has passed its expiry, so the feed forbids the push.

The key lacks push scope for this package

A read-only or glob-restricted key can authenticate but is not allowed to publish this package id.

How to fix it

Provide a valid push-scoped key from a secret

  1. Generate an API key with push permission for the target feed and package pattern.
  2. Store it as a CI secret and pass it via --api-key.
  3. Re-run the push once a valid key is in place.
Terminal
dotnet nuget push *.nupkg --source https://api.nuget.org/v3/index.json --api-key ${{ secrets.NUGET_API_KEY }}

Rotate an expired key

API keys expire; issue a new one with the same scope, update the secret, and the 403 clears.

How to prevent it

  • Store push API keys as CI secrets and rotate before expiry.
  • Scope keys to the exact package pattern they publish.
  • Confirm the key targets the same feed you push to.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →