[GH-ISSUE #787] 403 error on API key with full permissions #1632

New Issue

Closed

opened 2026-04-16 08:21:35 -05:00 by GiteaMirror · 5 comments

GiteaMirror commented 2026-04-16 08:21:35 -05:00

Owner

Copy Link

Originally created by @kmanwar89 on GitHub (May 26, 2025).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/787

I'm trying to use the API for some programmatic/bulk adding of resources that all share a similar ruleset, without having to duplicate 2/3 dozen times. While reading through the Swagger docs, I'm trying to just do the simplest possible test - a GET to /orgs to get the Org ID, but each time I do it (through the Web UI or curl commands) I'm greeted with a 403: Key does not have root access error.

I created the API key with 100% wide open permissions, and am confident it has permissions to GET the orgs. I tried a different key with all permissions selected under the org; same issue.

I assumed it was Crowdsec banning my WAN IP (it was, for some reason), so I tried it again after removing all Crowdsec references from my compose file and traefik configs - no dice.

Any ideas on this one? I searched for others with the same issue, but their symptoms and resolutions were quite different.

Screenshot of error in the Swagger UI:

And screenshot of API permissions:

Originally created by @kmanwar89 on GitHub (May 26, 2025). Original GitHub issue: https://github.com/fosrl/pangolin/issues/787 I'm trying to use the API for some programmatic/bulk adding of resources that all share a similar ruleset, without having to duplicate 2/3 dozen times. While reading through the Swagger docs, I'm trying to just do the simplest possible test - a GET to /orgs to get the Org ID, but each time I do it (through the Web UI or `curl` commands) I'm greeted with a `403: Key does not have root access` error. I created the API key with 100% wide open permissions, and am confident it has permissions to GET the orgs. I tried a different key with all permissions selected under the org; same issue. I assumed it was Crowdsec banning my WAN IP (it was, for some reason), so I tried it again after removing all Crowdsec references from my compose file and traefik configs - no dice. Any ideas on this one? I searched for others with the same issue, but their symptoms and resolutions were quite different. Screenshot of error in the Swagger UI:  And screenshot of API permissions: <img width="1415" alt="Image" src="https://github.com/user-attachments/assets/82d338c9-11f8-438b-af80-7ed8f922a410" />

GiteaMirror closed this issue 2026-04-16 08:21:36 -05:00

GiteaMirror commented 2026-04-16 08:21:36 -05:00

Author

Owner

Copy Link

@miloschwartz commented on GitHub (May 27, 2025):

We need to work on better public documentation for the API, but some permissions are only scoped to root api keys. Looks like from the screenshot this is an "org" API key not a root key. An org key is generated from the sidebar in an organization while the root key is generated from the server admin panel. Let me know if there are still issues and might be a bug.

<!-- gh-comment-id:2910977353 --> @miloschwartz commented on GitHub (May 27, 2025): We need to work on better public documentation for the API, but some permissions are only scoped to root api keys. Looks like from the screenshot this is an "org" API key not a root key. An org key is generated from the sidebar in an organization while the root key is generated from the server admin panel. Let me know if there are still issues and might be a bug.

GiteaMirror commented 2026-04-16 08:21:37 -05:00

Author

Owner

Copy Link

@manelmolinaig commented on GitHub (May 27, 2025):

We need to work on better public documentation for the API, but some permissions are only scoped to root api keys. Looks like from the screenshot this is an "org" API key not a root key. An org key is generated from the sidebar in an organization while the root key is generated from the server admin panel. Let me know if there are still issues and might be a bug.

Related to API documentation... https://docs.fossorial.io/Pangolin/API/integration-api

Seems that is necessary to add routers to reach the API on api.domain.com, but my traefik config file (v4) already have API routers on domain.com/api Which is the right endpoint/subdomain?

Thanks!

<!-- gh-comment-id:2911755458 --> @manelmolinaig commented on GitHub (May 27, 2025): > We need to work on better public documentation for the API, but some permissions are only scoped to root api keys. Looks like from the screenshot this is an "org" API key not a root key. An org key is generated from the sidebar in an organization while the root key is generated from the server admin panel. Let me know if there are still issues and might be a bug. Related to API documentation... https://docs.fossorial.io/Pangolin/API/integration-api Seems that is necessary to add routers to reach the API on api.domain.com, but my traefik config file (v4) already have API routers on domain.com/api Which is the right endpoint/subdomain? Thanks!

GiteaMirror commented 2026-04-16 08:21:37 -05:00

Author

Owner

Copy Link

@oschwartz10612 commented on GitHub (May 27, 2025):

The integration API is separate from the internal API (at /api/v1) used by the Pangolin web UI. This was to make it easier to keep stable and authenticate differently.

It is best to expose this with the example traefik config I think.

<!-- gh-comment-id:2912699286 --> @oschwartz10612 commented on GitHub (May 27, 2025): The integration API is separate from the internal API (at /api/v1) used by the Pangolin web UI. This was to make it easier to keep stable and authenticate differently. It is best to expose this with the example traefik config I think.

GiteaMirror commented 2026-04-16 08:21:38 -05:00

Author

Owner

Copy Link

@kmanwar89 commented on GitHub (May 28, 2025):

Thank you! I totally glanced over that in the documentation and didn't realize the different scope was per-org (which is much more secure, and I'm glad to see that's already a feature!). I can confirm creating the API key via the Server Admin fixed my issue and I was able to list the orgs and can now begin developing my automated flows. Thank you again @miloschwartz

I'll let you decide if this should be closed or not, but its solved from my perspective

<!-- gh-comment-id:2917449678 --> @kmanwar89 commented on GitHub (May 28, 2025): Thank you! I totally glanced over that in the documentation and didn't realize the different scope was per-org (which is much more secure, and I'm glad to see that's already a feature!). I can confirm creating the API key via the Server Admin fixed my issue and I was able to list the orgs and can now begin developing my automated flows. Thank you again @miloschwartz I'll let you decide if this should be closed or not, but its solved from my perspective

GiteaMirror commented 2026-04-16 08:21:38 -05:00

Author

Owner

Copy Link

@oschwartz10612 commented on GitHub (May 29, 2025):

Happy it is working! I will close but feel free to reopen.

<!-- gh-comment-id:2919627964 --> @oschwartz10612 commented on GitHub (May 29, 2025): Happy it is working! I will close but feel free to reopen.

GiteaMirror referenced this issue 2026-04-16 09:31:43 -05:00

[PR #1632] [CLOSED] New Crowdin updates #2639

GiteaMirror referenced this issue 2026-04-20 08:57:22 -05:00

[PR #1632] [CLOSED] New Crowdin updates #4582

GiteaMirror referenced this issue 2026-04-23 02:36:39 -05:00

[PR #1632] [CLOSED] New Crowdin updates #5526

GiteaMirror referenced this issue 2026-04-25 16:14:56 -05:00

[PR #1632] [CLOSED] New Crowdin updates #7441

GiteaMirror referenced this issue 2026-04-30 05:39:56 -05:00

[PR #1632] [CLOSED] New Crowdin updates #9420

GiteaMirror referenced this issue 2026-05-06 16:05:01 -05:00

[PR #1632] [CLOSED] New Crowdin updates #11439

GiteaMirror referenced this issue 2026-05-13 18:53:26 -05:00

[PR #1632] [CLOSED] New Crowdin updates #13492

GiteaMirror referenced this issue 2026-05-16 03:46:40 -05:00

[PR #1632] [CLOSED] New Crowdin updates #15575

GiteaMirror referenced this issue 2026-05-18 18:02:28 -05:00

[PR #1632] [CLOSED] New Crowdin updates #17677

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dependabot/npm_and_yarn/prod-patch-updates-94425a55d0

dependabot/npm_and_yarn/dev-minor-updates-4aaf4dbce4

dependabot/go_modules/install/minor-updates-a249525a56

fix-3104

dev

exit-node-reconnect

fix-logoUrl

button-to-rebuild-association

crowdin_dev

rdp-ssh

dependabot/npm_and_yarn/brace-expansion-5.0.6

copilot/fix-documentation-input-output-types

dependabot/github_actions/sigstore/cosign-installer-4.1.2

redis

resource-policies

dependabot/npm_and_yarn/next-15.5.18

dependabot/npm_and_yarn/fast-uri-3.1.2

s3

dependabot/npm_and_yarn/fast-xml-builder-1.2.0

dependabot/npm_and_yarn/axios-1.15.2

dependabot/npm_and_yarn/next-intl-4.9.2

dependabot/docker/node-26-alpine

dependabot/docker/docker/library/node-26-slim

dependabot/npm_and_yarn/multi-7bdfbe8666

dependabot/npm_and_yarn/multi-d2fd79378c

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/postcss-8.5.10

dependabot/github_actions/actions/setup-node-6.4.0

dependabot/npm_and_yarn/next-16.2.1

dependabot/npm_and_yarn/recharts-3.8.1

cross-org-idp

breakout-sites-tables

ssh

delete-account

msg-delivery

org-only-idp

cicd

patch

site-targets-auto-login

1.18.4

1.18.3

1.18.2

1.18.1

1.18.0

1.18.0-rc.0

1.17.1

1.17.0

1.17.0-rc.0

1.16.2

1.16.1

1.16.0

1.16.0-rc.0

1.15.4

1.15.3

1.15.2

1.15.1

1.15.0

1.15.0-rc.0

1.14.1

1.14.0

1.14.0-rc.0

1.13.1

1.13.0

1.13.0-rc.0

1.12.3

1.12.2

1.12.1

1.12.0

1.12.0-rc.0

1.11.1

1.11.0

1.10.3

1.10.2

1.10.1

1.10.0

1.9.4

1.9.3

1.9.2

1.9.1

1.9.0

1.8.0

1.7.3

1.7.2

1.7.1

1.7.0

1.6.2

1.6.1

1.6.0

1.5.1

1.5.0

1.4.0

1.3.2

1.3.1

1.3.0

1.2.0

1.1.0

1.0.1

1.0.0

1.0.0-beta.15

1.0.0-beta.14

1.0.0-beta.13

1.0.0-beta.12

1.0.0-beta.11

1.0.0-beta.10

1.0.0-beta.9

1.0.0-beta.8

1.0.0-beta.7

1.0.0-beta.6

1.0.0-beta.5

1.0.0-beta.4

1.0.0-beta.3

1.0.0-beta.2

1.0.0-beta.1

Labels

Clear labels

api

authentication

bug

config

dependencies

docker

documentation

enhancement

good first issue

help wanted

Improvement

Look Into

needs investigating

networking

new feature

non-critical bug

potential bug

pull-request

Mirrored from GitHub Pull Request

question

reverse proxy

Security

stale

ui

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/pangolin#1632