JFrog "403 Forbidden" repository permissions in CI
Artifactory returned HTTP 403 because authentication succeeded but the token lacks permission on the target repository. Unlike 401, retrying with the same credential never fixes it.
What this error means
A jf rt upload or jf rt download step fails with "403 Forbidden" after credentials are accepted. The permission target for that repo does not grant the token deploy or read.
[Error] server response: 403 Forbidden
{
"errors": [ { "status": 403, "message": "Forbidden" } ]
}Common causes
The token lacks deploy or read on the repo
Permission targets in Artifactory scope users and groups to specific repositories and actions. The CI token is not granted Deploy/Cache or Read on the target repo.
A read-only token used for an upload
A token scoped only for reads (or a repo path it does not cover) is used to deploy, so the write is refused with 403.
How to fix it
Grant the CI principal permission on the repo
- In the JFrog Platform, open the permission target covering the target repository.
- Add the CI user or group with Deploy/Cache and Read as needed.
- Re-run the upload and confirm the 403 clears.
Confirm the token scope matches the operation
A 403 will not be fixed by retrying. Verify the token belongs to a principal with write access to that exact repository path.
jf rt curl -XGET "/api/repositories/my-libs-local"How to prevent it
- Grant least-privilege deploy permission scoped to the CI repos.
- Use separate tokens for read-only pulls and deploy pipelines.
- Verify permission targets when adding a new repository to CI.