Images access forbidden

default discord avatar
9 months ago
1 2


Probably something easy on my part, but for some reason I am getting below error on my frontend when trying to access images from CMS:

Forbidden: You are not allowed to perform this action.
    at new ExtendableError (/app/node_modules/.pnpm/payload@1.2.4_mwhvu7sfp6vq5ryuwb6hlbjfka/node_modules/payload/src/errors/APIError.ts:26:11)
    at new APIError (/app/node_modules/.pnpm/payload@1.2.4_mwhvu7sfp6vq5ryuwb6hlbjfka/node_modules/payload/src/errors/APIError.ts:43:5)
    at new Forbidden (/app/node_modules/.pnpm/payload@1.2.4_mwhvu7sfp6vq5ryuwb6hlbjfka/node_modules/payload/src/errors/Forbidden.ts:7:5)
    at executeAccess (/app/node_modules/.pnpm/payload@1.2.4_mwhvu7sfp6vq5ryuwb6hlbjfka/node_modules/payload/src/auth/executeAccess.ts:9:43)
    at processTicksAndRejections (node:internal/process/task_queues:95:5)
    at /app/node_modules/.pnpm/payload@1.2.4_mwhvu7sfp6vq5ryuwb6hlbjfka/node_modules/payload/src/auth/getExecuteStaticAccess.ts:14:28

All my collections are accessed using the same client and basic Authentication with JWT token.

Below is my Image Collection config:

export const Images: CollectionConfig = {
  slug: 'images',
  admin: {
    useAsTitle: 'filename',
  upload: {
    staticURL: '/media',
    staticDir: 'media',
    adminThumbnail: 'thumbnail',
    mimeTypes: ['image/*'],
  fields: [...

I am also using CloudStorage access for non-local application:

plugins: [
      collections: {
        [Images.slug]: {
            process.env.AWS_ASSET_STORAGE_ENABLED === 'true' ? S3Adapter : null,

Probably something easy, but I cannot locate it. All the other collections are normally retrieved.
What is even more strange is when I login to CMS via UI, images on Frontend start suddenly appearing (?)

  • discord user avatar
    Payload Team
    9 months ago

    This makes sense, you should define a read access control on your image collection, like so:

    access: {
      read: () => true

    Access control defaults to checking if a user exists on the request, which is why they appear when you are logged in.

  • default discord avatar
    9 months ago

    Just a note, if anyone encounters it as well:

    While this might have been partially an issue as well, my main issue was oauthproxy wall I had on my Frontend and CMS. Weird that it only affected images, but lifting oauth wall from /images path did the trick

    Thanks for the answer though!

Open the post
Continue the discussion in GitHub
Like what we're doing?
Star us on GitHub!


Connect with the Payload Community on Discord



Can't find what you're looking for?

Get help straight from the Payload team with an Enterprise License.