API request keeps returning "The owner of the used API token does not have permission to make API calls" #3974

New Issue

OVERLORD · 2026-02-05T08:00:08+03:00

OVERLORD commented

2026-02-05 08:00:08 +03:00

Originally created by @dyzdyz010 on GitHub (Aug 17, 2023).

Attempted Debugging

I have read the debugging page

Searched GitHub Issues

I have searched GitHub for the issue.

Describe the Scenario

I use admin user to create an API key, but the endpoint keeps returning error:

{
    "error": {
        "message": "The owner of the used API token does not have permission to make API calls",
        "code": 403
    }
}

Endpoint: /api/pages

Exact BookStack Version

v23.06.2

Log Content

No response

PHP Version

8.2.8

Hosting Environment

Docker image: lscr.io/linuxserver/bookstack:latest

Originally created by @dyzdyz010 on GitHub (Aug 17, 2023). ### Attempted Debugging - [X] I have read the debugging page ### Searched GitHub Issues - [X] I have searched GitHub for the issue. ### Describe the Scenario I use admin user to create an API key, but the endpoint keeps returning error: ```json { "error": { "message": "The owner of the used API token does not have permission to make API calls", "code": 403 } } ``` Endpoint: `/api/pages` <img width="817" alt="image" src="https://github.com/BookStackApp/BookStack/assets/1324420/0e479425-4e07-420d-aed3-dc6e5738d759"> ### Exact BookStack Version v23.06.2 ### Log Content _No response_ ### PHP Version 8.2.8 ### Hosting Environment Docker image: `lscr.io/linuxserver/bookstack:latest`

OVERLORD added the 🐕 Support label 2026-02-05 08:00:08 +03:00

OVERLORD closed this issue

2026-02-05 08:00:14 +03:00

OVERLORD commented

2026-02-05 08:00:16 +03:00

@ssddanbrown commented on GitHub (Aug 17, 2023):

What user did you create the API key for?
What roles do they have?
Do those roles have the "Access System API" permission granted?

@ssddanbrown commented on GitHub (Aug 17, 2023): - What user did you create the API key for? - What roles do they have? - Do those roles have the "Access System API" permission granted?

OVERLORD commented

2026-02-05 08:00:17 +03:00

@dyzdyz010 commented on GitHub (Aug 17, 2023):

Update: It works now, I didn't do anything, just wait for a couple of hours. Don't know why.

What user did you create the API key for?
What roles do they have?
Do those roles have the "Access System API" permission granted?

I logged in as Admin user, which belongs to Admin role and has all permissions enabled:

Then in Users section, I selected Admin user. At page bottom I clicked CREATE TOKEN:

In token creation page, I just gave it a name and hit SAVE:

Thus I got a Token ID and a Token Secret:

Then I request /api/pages with token above.

@dyzdyz010 commented on GitHub (Aug 17, 2023): **Update: It works now, I didn't do anything, just wait for a couple of hours. Don't know why.** > What user did you create the API key for? > What roles do they have? > Do those roles have the "Access System API" permission granted? I logged in as Admin user, which belongs to Admin role and has all permissions enabled: <img width="765" alt="image" src="https://github.com/BookStackApp/BookStack/assets/1324420/5fda031e-9f54-4b4b-ac85-c05856077559"> Then in `Users` section, I selected `Admin` user. At page bottom I clicked `CREATE TOKEN`: <img width="817" alt="image" src="https://github.com/BookStackApp/BookStack/assets/1324420/2ed22c39-4235-420a-aa4c-6354ae5f0530"> In token creation page, I just gave it a name and hit `SAVE`: <img width="823" alt="image" src="https://github.com/BookStackApp/BookStack/assets/1324420/63cbda47-d328-4965-859e-78feb088e3f0"> Thus I got a `Token ID` and a `Token Secret`: <img width="817" alt="image" src="https://github.com/BookStackApp/BookStack/assets/1324420/be3ffd22-6b55-4e85-893c-ea9fd19527f8"> Then I request `/api/pages` with token above.

OVERLORD commented

2026-02-05 08:00:21 +03:00

@ssddanbrown commented on GitHub (Aug 17, 2023):

Update: It works now, I didn't do anything, just wait for a couple of hours. Don't know why.

Cool, I'll therefore close this off.
If you are using front-end web technologies in this, in an environment & request manner that could have had session cookies for BookStack, then they could have possible interfered. The API will attempt to use an existing browser session first and could produce this error if API access was not present for that session user.

@ssddanbrown commented on GitHub (Aug 17, 2023): > Update: It works now, I didn't do anything, just wait for a couple of hours. Don't know why. Cool, I'll therefore close this off. If you are using front-end web technologies in this, in an environment & request manner that could have had session cookies for BookStack, then they could have possible interfered. The API will attempt to use an existing browser session first and could produce this error if API access was not present for that session user.

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#3974