Skip to content

Getting 403 Forbidden when calling `--head` with `read_api` scope

Doc section: https://docs.gitlab.com/ee/api/README.html#pagination-link-header

The example is:

curl --head --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/9/issues/8/notes?per_page=3&page=2"

However I get a 403 Forbidden when I try to run the following with a token that has the read_api scope:

curl --head --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.<company-domain.com>/api/v4/projects"

The command works fine if I remove the --head flag, or use a token with the api scope (which has both read and write permissions).

It looks like HTTP HEAD (method used by the --head flag) requires write permission.

The alternative I'm using is --dump-header <filename> to dump the headers to a file. This works with the read_api scope.

Perhaps the documentation should be updated (or HEAD should only require read permission, unsure).

Edited by Arnaud Henry