<!--IssueSummary start--> <details> <summary> Everyone can contribute. [Help move this issue forward](https://handbook.gitlab.com/handbook/marketing/developer-relations/contributor-success/community-contributors-workflows/#contributor-links) while earning points, leveling up and collecting rewards. </summary> - [Close this issue](https://contributors.gitlab.com/manage-issue?action=close&projectId=278964&issueIid=568868) </details> <!--IssueSummary end--> According [to the docs](https://docs.gitlab.com/ci/jobs/ci_job_token/#:~:text=repository/changelog%20endpoint.-,Tags%20API,-Can%20access%20the) the Tags API should support authenticated requested using a CI Job Token. That's the case when the repository is available to everyone on a project. That is, the following setting is configured **Settings → General → Visibility, project features, permissions → Repository** to `Everyone with access` We can confirm this with the following job in the same project (make sure the tag `1.0.0` exists): ```yaml tags-ci-job-token: image: alpine script: - apk add curl - 'curl --header "Job-Token: $CI_JOB_TOKEN" --url "$CI_API_V4_URL/projects/$CI_PROJECT_ID/repository/tags"' - 'curl --header "Job-Token: $CI_JOB_TOKEN" --url "$CI_API_V4_URL/projects/$CI_PROJECT_ID/repository/tags/1.0.0"' ``` However, when the aforementioned setting is changed to **Settings → General → Visibility, project features, permissions → Repository** to `Only Project Members` then the second `curl` command fails with a `403 Forbidden`. My assumption would be that the CI Job Token can be used independently of the visibility of the repository in a project. *** This came up in https://gitlab.com/gitlab-org/cli/-/issues/7859#note_2733841616.