Skip to content
Latchkey

GitLab CI "CI_JOB_TOKEN" 403 - Insufficient Job Token Permissions

CI_JOB_TOKEN authenticates a running job to GitLab. By default it is scoped narrowly, so cloning another project, hitting the API, or pulling a package across projects returns 403/401 until access is granted.

What this error means

A job using CI_JOB_TOKEN to clone a second repo, call the API, or pull a package registry fails with 401/403 - even though the token is valid for this project. The token simply is not allowed at the target.

Job log
fatal: unable to access 'https://gitlab-ci-token:[MASKED]@gitlab.com/group/other-repo.git/':
The requested URL returned error: 403

Common causes

Target project does not allow this token

Job-token access between projects is restricted by an allowlist. Unless the target project permits the source project, cross-project clone/API/package access is denied.

Operation needs more than read scope

The job token has limited scopes. Some API operations or package actions require permissions the job token is not granted.

How to fix it

Allow the source project in the target

  1. In the target project, open Settings → CI/CD → Token Access (Job token permissions).
  2. Add the source project to the allowlist so its CI_JOB_TOKEN is accepted.
  3. Re-run the job; the cross-project clone/API call now authenticates.

Use the token correctly for clones

Clone with the gitlab-ci-token user and the job token over HTTPS.

Job script
git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.example.com/group/other-repo.git

How to prevent it

  • Maintain the job-token allowlist between projects that share CI access.
  • Prefer the job token for in-pipeline access; reserve PATs for what it cannot do.
  • Scope any fallback access token to the minimum required permissions.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →