Old version

This documentation is for a Forgejo version which is no longer supported.

To read the up-to-date documentation, navigate to the latest version.

Access Token scope

Forgejo supports scoped access tokens, which allow users to restrict tokens to operate only on selected url routes. Scopes are grouped by high-level API routes, and further refined to the following:

  • read: GET routes
  • write: POST, PUT, PATCH, and DELETE routes (in addition to GET)

Forgejo token scopes are as follows:

NameDescription
(no scope)Not supported. A scope is required even for public repositories.
activitypubactivitypub API routes: ActivityPub related operations.
    read:activitypubGrants read access for ActivityPub operations.
    write:activitypubGrants read/write/delete access for ActivityPub operations.
admin/admin/* API routes: Site-wide administrative operations (hidden for non-admin accounts).
    read:adminGrants read access for admin operations, such as getting cron jobs or registered user emails.
    write:adminGrants read/write/delete access for admin operations, such as running cron jobs or updating user accounts.
issueissues/*, labels/*, milestones/* API routes: Issue-related operations.
    read:issueGrants read access for issues operations, such as getting issue comments, issue attachments, and milestones.
    write:issueGrants read/write/delete access for issues operations, such as posting or editing an issue comment or attachment, and updating milestones.
miscmiscellaneous and settings top-level API routes.
    read:miscGrants read access to miscellaneous operations, such as getting label and gitignore templates.
    write:miscGrants read/write/delete access to miscellaneous operations, such as markup utility operations.
notificationnotification/* API routes: user notification operations.
    read:notificationGrants read access to user notifications, such as which notifications users are subscribed to and read new notifications.
    write:notificationGrants read/write/delete access to user notifications, such as marking notifications as read.
organizationorgs/* and teams/* API routes: Organization and team management operations.
    read:organizationGrants read access to org and team status, such as listing all orgs a user has visibility to, teams, and team members.
    write:organizationGrants read/write/delete access to org and team status, such as creating and updating teams and updating org settings.
package/packages/* API routes: Packages operations
    read:packageGrants read access to package operations, such as reading and downloading available packages.
    write:packageGrants read/write/delete access to package operations. Currently the same as read:package.
repository/repos/* API routes except /repos/issues/*: Repository file, pull-request, and release operations.
    read:repositoryGrants read access to repository operations, such as getting repository files, releases, collaborators.
    write:repositoryGrants read/write/delete access to repository operations, such as getting updating repository files, creating pull requests, updating collaborators.
user/user/* and /users/* API routes: User-related operations.
    read:userGrants read access to user operations, such as getting user repo subscriptions and user settings.
    write:userGrants read/write/delete access to user operations, such as updating user repo subscriptions, followed users, and user settings.