Database API 42501 errors

Last edited: 6/5/2025

Postgres 42501 errors, often reported by clients as 401 or 403 errors, imply the request lacked adequate privileges. They can be viewed in the log explorer by running:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
select  cast(postgres_logs.timestamp as datetime) as timestamp,  event_message,  parsed.error_severity,  parsed.user_name,  parsed.query,  parsed.detail,  parsed.hintfrom  postgres_logs  cross join unnest(metadata) as metadata  cross join unnest(metadata.parsed) as parsedwhere  regexp_contains(parsed.error_severity, 'ERROR|FATAL|PANIC')  and parsed.sql_state_code = '42501'order by timestamp desclimit 100;

They tend to be caused by one of the following factors.

Attempted to access a forbidden schema

API roles cannot access certain schemas, most notably auth and vault. This restriction extends to Foreign Data Wrappers relying on vault. While you can bypass it using a security definer function, these schemas are intentionally restricted for security reasons.

Attempted to access a custom schema

If you created a custom schema, you will have to give the Database API permission to query it. Follow our Using Custom Schemas guide for more directions.

Revoked object level access:

In rare cases, users may accidentally revoke object-level access in public from their API roles. To regrant full visibility, run the below code:

1
2
3
4
5
6
7
grant usage on schema public to anon, authenticated, service_role;grant all on all tables in schema public to anon, authenticated, service_role;grant all on all routines in schema public to anon, authenticated, service_role;grant all ON all sequences in schema public to anon, authenticated, service_role;alter default privileges for role postgres in schema public grant all on tables to anon, authenticated, service_role;alter default privileges for role postgres in schema public grant all on routines to anon, authenticated, service_role;alter default privileges for role postgres in schema public grant all on sequences to anon, authenticated, service_role;

Configured column-level restrictions

If you've set column-based access in the Dashboard or via SQL, queries will fail with a 42501 error when accessing restricted columns. This includes using select *, as it expands to include forbidden columns.

RLS:

If the anon or authenticated roles attempt to UPDATE or INSERT values without the necessary RLS permissions, Postgres will return a 42501 error.