Skip to content
Latchkey

JFrog "403 Forbidden" repository permissions in CI

Artifactory returned HTTP 403 because authentication succeeded but the token lacks permission on the target repository. Unlike 401, retrying with the same credential never fixes it.

What this error means

A jf rt upload or jf rt download step fails with "403 Forbidden" after credentials are accepted. The permission target for that repo does not grant the token deploy or read.

jf
[Error] server response: 403 Forbidden
{
  "errors": [ { "status": 403, "message": "Forbidden" } ]
}

Common causes

The token lacks deploy or read on the repo

Permission targets in Artifactory scope users and groups to specific repositories and actions. The CI token is not granted Deploy/Cache or Read on the target repo.

A read-only token used for an upload

A token scoped only for reads (or a repo path it does not cover) is used to deploy, so the write is refused with 403.

How to fix it

Grant the CI principal permission on the repo

  1. In the JFrog Platform, open the permission target covering the target repository.
  2. Add the CI user or group with Deploy/Cache and Read as needed.
  3. Re-run the upload and confirm the 403 clears.

Confirm the token scope matches the operation

A 403 will not be fixed by retrying. Verify the token belongs to a principal with write access to that exact repository path.

Terminal
jf rt curl -XGET "/api/repositories/my-libs-local"

How to prevent it

  • Grant least-privilege deploy permission scoped to the CI repos.
  • Use separate tokens for read-only pulls and deploy pipelines.
  • Verify permission targets when adding a new repository to CI.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →