Database API 42501 errors

Postgres 42501 errors, often reported by clients as 401 or 403 errors, imply the request lacked adequate privileges. They can be viewed in the log explorer by running:

1
select
2
  cast(postgres_logs.timestamp as datetime) as timestamp,
3
  event_message,
4
  parsed.error_severity,
5
  parsed.user_name,
6
  parsed.query,
7
  parsed.detail,
8
  parsed.hint
9
from
10
  postgres_logs
11
  cross join unnest(metadata) as metadata
12
  cross join unnest(metadata.parsed) as parsed
13
where
14
  regexp_contains(parsed.error_severity, 'ERROR|FATAL|PANIC')
15
  and parsed.sql_state_code = '42501'
16
order by timestamp desc
17
limit 100;

They tend to be caused by one of the following factors.

Attempted to access a forbidden schema#

API roles cannot access certain schemas, most notably auth and vault. This restriction extends to Foreign Data Wrappers relying on vault. While you can bypass it using a security definer function, these schemas are intentionally restricted for security reasons.

Attempted to access a custom schema#

If you created a custom schema, you will have to give the Database API permission to query it. Follow our Using Custom Schemas guide for more directions.

Revoked object level access:#

In rare cases, users may accidentally revoke object-level access in public from their API roles. To regrant full visibility, run the below code:

1
grant usage on schema public to anon, authenticated, service_role;
2
grant all on all tables in schema public to anon, authenticated, service_role;
3
grant all on all routines in schema public to anon, authenticated, service_role;
4
grant all ON all sequences in schema public to anon, authenticated, service_role;
5
alter default privileges for role postgres in schema public grant all on tables to anon, authenticated, service_role;
6
alter default privileges for role postgres in schema public grant all on routines to anon, authenticated, service_role;
7
alter default privileges for role postgres in schema public grant all on sequences to anon, authenticated, service_role;

Configured column-level restrictions#

If you've set column-based access in the Dashboard or via SQL, queries will fail with a 42501 error when accessing restricted columns. This includes using select *, as it expands to include forbidden columns.

RLS:#

If the anon or authenticated roles attempt to UPDATE or INSERT values without the necessary RLS permissions, Postgres will return a 42501 error.