Skip to content
Latchkey

Nx Cloud "access token" unauthorized in CI

Nx tried to read from or write to Nx Cloud and the request was rejected. The NX_CLOUD_ACCESS_TOKEN (or nxCloudAccessToken) is absent, invalid, or a read-only token is being used where a read-write one is required.

What this error means

An Nx run prints an Nx Cloud authentication failure such as "The provided access token is not authorized" or "Invalid Nx Cloud access token", and remote caching is disabled for the run.

Nx
NX   The provided access token is not authorized to access this workspace.

Common causes

The token is missing or not injected

The CI step has no NX_CLOUD_ACCESS_TOKEN, so Nx sends an unauthenticated request and Nx Cloud rejects it.

A read-only token used for a write

A read-only access token can fetch cache hits but cannot upload; a task that tries to write the remote cache is rejected.

How to fix it

Inject a valid token from secrets

  1. Store the Nx Cloud token as a CI secret.
  2. Expose it to the job as NX_CLOUD_ACCESS_TOKEN.
  3. Re-run so Nx authenticates to the workspace.
.github/workflows/ci.yml
env:
  NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}

Use a read-write token where writes are needed

Pipelines that populate the cache need a read-write token; reserve read-only tokens for untrusted contexts like fork PRs.

How to prevent it

  • Keep the Nx Cloud token in CI secrets, never committed.
  • Match token scope (read vs read-write) to the job's needs.
  • Rotate the token and update the secret in one place.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →