Sam & Claude
4d8ce07fa7
Normalize markdown formatting after the latest main updates.\n\nChecks: python3 scripts/layered_soul.py validate .; npx --yes prettier@3 --check '**/*.md'; git diff --check.
2.5 KiB
2.5 KiB
Forgejo Admin Token Scopes
Different Forgejo API endpoints require different token scopes. This table captures what we learned from trial and error.
| Operation | Endpoint | Required scope | Admin token can? |
|---|---|---|---|
| Create user | POST /admin/users |
write:admin |
Yes |
| Add SSH key to user | POST /admin/users/{user}/keys |
write:admin |
Yes |
| List SSH keys (own) | GET /user/keys |
read:user |
No (admin token doesn't have this) |
| List SSH keys (admin) | GET /admin/users/{user}/keys |
write:admin |
405 Method Not Allowed |
| Create repo | POST /user/repos |
write:user |
No |
| Create repo under org | POST /orgs/{org}/repos |
write:organization |
No |
| Add collaborator | PUT /repos/{owner}/{repo}/collaborators/{user} |
write:repository |
No (403) |
| List collaborators | GET /repos/{owner}/{repo}/collaborators |
read:repository |
No |
| Create PR | POST /repos/{owner}/{repo}/pulls |
write:repository |
No |
| Set branch protection | POST /repos/{owner}/{repo}/branch_protections |
Owner? (403 even with admin) | No |
| Get branch protections | GET /repos/{owner}/{repo}/branch_protections |
read:repository |
No |
Takeaways
- Admin tokens are narrow:
write:adminonly covers user management (create user, add keys). - Repo operations need repo tokens: adding collaborators, creating PRs, setting branch protection all need
write:repositoryon a user-owned token, not an admin token. - Browser is the fallback: when API scope gaps block you, log in via browser as the repo owner.
- No single token does everything: Forgejo's scope model forces separation. Bootstrap with admin token, then switch to repo-scoped or browser for everything else.