markFileAsViewed GraphQL mutation returns "Resource not accessible by personal access token" with fine-grained PAT

[suveshmoza]

🏷️ Discussion Type

Bug

💬 Feature/Topic Area

API

Body

I'm working with the GitHub GraphQL API and trying to use the markFileAsViewed mutation. The mutation succeeds when authenticated with a classic PAT that has the repo scope, but fails when using a fine-grained PAT, even though the token has required permissions.

Token permissions:

Permission	Access
Pull requests	Read and write
Contents	Read and write
Metadata	Read-only

The API response is:

{
  "data": {
    "markFileAsViewed": null
  },
  "errors": [
    {
      "type": "FORBIDDEN",
      "path": ["markFileAsViewed"],
      "extensions": {
        "saml_failure": false
      },
      "message": "Resource not accessible by personal access token"
    }
  ]
}

Are there any additional permissions required to use this mutation?

[github-actions[bot]]

💬 Your Product Feedback Has Been Submitted 🎉

Thank you for taking the time to share your insights with us! Your feedback is invaluable as we build a better GitHub experience for all our users.

Here's what you can expect moving forward ⏩

• Your input will be carefully reviewed and cataloged by members of our product teams. 
  • Due to the high volume of submissions, we may not always be able to provide individual responses.
  • Rest assured, your feedback will help chart our course for product improvements.
• Other users may engage with your post, sharing their own perspectives or experiences. 
• GitHub staff may reach out for further clarification or insight. 
  • We may 'Answer' your discussion if there is a current solution, workaround, or roadmap/changelog post related to the feedback.

Where to look to see what's shipping 👀

• Read the Changelog for real-time updates on the latest GitHub features, enhancements, and calls for feedback.
• Explore our Product Roadmap, which details upcoming major releases and initiatives.

What you can do in the meantime 💻

• Upvote and comment on other user feedback Discussions that resonate with you.
• Add more information at any point! Useful details include: use cases, relevant labels, desired outcomes, and any accompanying screenshots.

As a member of the GitHub community, your participation is essential. While we can't promise that every suggestion will be implemented, we want to emphasize that your feedback is instrumental in guiding our decisions and priorities.

Thank you once again for your contribution to making GitHub even better! We're grateful for your ongoing support and collaboration in shaping the future of our platform. ⭐

[dacdoyx]

The issue is that fine-grained PATs require explicit repository-level access in addition to the right permissions.

The markFileAsViewed mutation needs pull_requests: write permission (which you already have), but the PAT must also be installed on the specific repository containing the PR.

Two things to check:

1. Repository access: When creating the fine-grained PAT, did you select "All repositories" or only "Only select repositories"? If the repo containing the PR isn't explicitly selected, you will get this error. Go to https://github.com/settings/tokens and check the PAT's repository access.

2. Organization restrictions: If the repository belongs to an organization that has blocked fine-grained PATs (which some orgs do by default), the mutation will fail with this error regardless of permissions. Try a classic PAT as a workaround, or check with your org admin.

For context, classic PATs with the repo scope bypass per-repo checks because they automatically inherit all repos your account can access. Fine-grained PATs are more granular, which is why they fail if the repo isn't explicitly included.

You can verify by creating a new fine-grained PAT that targets "All repositories" with pull_requests: write permission and trying the mutation again. If it works, the issue was repo access selection.

[suveshmoza]

Thanks, my use case currently falls under Fine-grained personal access tokens limitations