Images access forbidden

default discord avatar
adam-mroziklast year
1 2


Probably something easy on my part, but for some reason I am getting below error on my frontend when trying to access images from CMS:

Forbidden: You are not allowed to perform this action.
    at new ExtendableError (/app/node_modules/.pnpm/payload@1.2.4_mwhvu7sfp6vq5ryuwb6hlbjfka/node_modules/payload/src/errors/APIError.ts:26:11)
    at new APIError (/app/node_modules/.pnpm/payload@1.2.4_mwhvu7sfp6vq5ryuwb6hlbjfka/node_modules/payload/src/errors/APIError.ts:43:5)
    at new Forbidden (/app/node_modules/.pnpm/payload@1.2.4_mwhvu7sfp6vq5ryuwb6hlbjfka/node_modules/payload/src/errors/Forbidden.ts:7:5)
    at executeAccess (/app/node_modules/.pnpm/payload@1.2.4_mwhvu7sfp6vq5ryuwb6hlbjfka/node_modules/payload/src/auth/executeAccess.ts:9:43)
    at processTicksAndRejections (node:internal/process/task_queues:95:5)
    at /app/node_modules/.pnpm/payload@1.2.4_mwhvu7sfp6vq5ryuwb6hlbjfka/node_modules/payload/src/auth/getExecuteStaticAccess.ts:14:28

All my collections are accessed using the same client and basic Authentication with JWT token.

Below is my Image Collection config:

export const Images: CollectionConfig = {
  slug: 'images',
  admin: {
    useAsTitle: 'filename',
  upload: {
    staticURL: '/media',
    staticDir: 'media',
    adminThumbnail: 'thumbnail',
    mimeTypes: ['image/*'],
  fields: [...

I am also using CloudStorage access for non-local application:

plugins: [
      collections: {
        [Images.slug]: {
            process.env.AWS_ASSET_STORAGE_ENABLED === 'true' ? S3Adapter : null,

Probably something easy, but I cannot locate it. All the other collections are normally retrieved.
What is even more strange is when I login to CMS via UI, images on Frontend start suddenly appearing (?)

  • Selected Answer
    discord user avatar
    last year

    This makes sense, you should define a read access control on your image collection, like so:

    access: {
      read: () => true

    Access control defaults to checking if a user exists on the request, which is why they appear when you are logged in.

  • default discord avatar
    adam-mroziklast year

    Just a note, if anyone encounters it as well:

    While this might have been partially an issue as well, my main issue was oauthproxy wall I had on my Frontend and CMS. Weird that it only affected images, but lifting oauth wall from /images path did the trick

    Thanks for the answer though!

Star on GitHub


Chat on Discord



Can't find what you're looking for?

Get help straight from the Payload team with an Enterprise License.