Database API 42501 errors

Last edited: 9/9/2025

Postgres 42501 errors, often reported by clients as 401 or 403 errors, imply the request lacked adequate privileges. They can be viewed in the log explorer by running:

1
select
2
  cast(postgres_logs.timestamp as datetime) as timestamp,
3
  event_message,
4
  parsed.error_severity,
5
  parsed.user_name,
6
  parsed.query,
7
  parsed.detail,
8
  parsed.hint
9
from
10
  postgres_logs
11
  cross join unnest(metadata) as metadata
12
  cross join unnest(metadata.parsed) as parsed
13
where
14
  regexp_contains(parsed.error_severity, 'ERROR|FATAL|PANIC')
15
  and parsed.sql_state_code = '42501'
16
order by timestamp desc
17
limit 100;

They tend to be caused by one of the following factors.

Attempted to access a forbidden schema

API roles cannot access certain schemas, most notably auth and vault. This restriction extends to Foreign Data Wrappers relying on vault. While you can bypass it using a security definer function, these schemas are intentionally restricted for security reasons.

Attempted to access a custom schema

If you created a custom schema, you will have to give the Database API permission to query it. Follow our Using Custom Schemas guide for more directions.

Revoked object level access:

In rare cases, users may accidentally revoke object-level access in public from their API roles. To regrant full visibility, run the below code:

1
grant usage on schema public to anon, authenticated, service_role;
2
grant all on all tables in schema public to anon, authenticated, service_role;
3
grant all on all routines in schema public to anon, authenticated, service_role;
4
grant all ON all sequences in schema public to anon, authenticated, service_role;
5
alter default privileges for role postgres in schema public grant all on tables to anon, authenticated, service_role;
6
alter default privileges for role postgres in schema public grant all on routines to anon, authenticated, service_role;
7
alter default privileges for role postgres in schema public grant all on sequences to anon, authenticated, service_role;

Configured column-level restrictions

If you've set column-based access in the Dashboard or via SQL, queries will fail with a 42501 error when accessing restricted columns. This includes using select *, as it expands to include forbidden columns.

RLS:

If the anon or authenticated roles attempt to UPDATE or INSERT values without the necessary RLS permissions, Postgres will return a 42501 error.