dotnet nuget push 403 invalid or forbidden API key in CI
A 403 on push means the feed accepted the request but the API key is not permitted to publish: it is missing, wrong, expired, or scoped without push rights. Retrying will not help until the key is fixed.
What this error means
push fails with "Response status code does not indicate success: 403 (Forbidden)" or "The specified API key is invalid, has expired, or does not have permission".
error: Response status code does not indicate success: 403 (Forbidden).
The specified API key is invalid, has expired, or does not have permission to
access the specified package.Common causes
The API key is missing, wrong, or expired
The --api-key value was not injected, points at the wrong feed, or has passed its expiry, so the feed forbids the push.
The key lacks push scope for this package
A read-only or glob-restricted key can authenticate but is not allowed to publish this package id.
How to fix it
Provide a valid push-scoped key from a secret
- Generate an API key with push permission for the target feed and package pattern.
- Store it as a CI secret and pass it via
--api-key. - Re-run the push once a valid key is in place.
dotnet nuget push *.nupkg --source https://api.nuget.org/v3/index.json --api-key ${{ secrets.NUGET_API_KEY }}Rotate an expired key
API keys expire; issue a new one with the same scope, update the secret, and the 403 clears.
How to prevent it
- Store push API keys as CI secrets and rotate before expiry.
- Scope keys to the exact package pattern they publish.
- Confirm the key targets the same feed you push to.