"Prevented by server side hooks" error when using project access token for /repository/files

UPDATE - Problem Solved

I figured out that the issue was in fact caused by one of my pre commit hooks. I have a hook which requires the author email to be of a specific format, and when I was using the project token the author email was empty (whereas it defaulted to my email when I used the personal token)
So the real error here was the lack of clear logging, which led me down this rabbit hole :slight_smile:

Problem to solve

I am trying to update a specific file, in a specific branch in a repository in Gitlab, using the /repository/files_api.
More context: I am creating a gitlab runner what will run a build script which produces some binaries. I want to store the checksums of these binaries in a separate repository

To do this I:

  • In the source repository, Run the build script which output a list of checksums
  • Create a new branch in the target repo, based on the master branch
  • (Try to) update a file called checksums using the repository/files/api
  • Create a merge request from this branch to the master branch in the target repo

When I tested locally at first it worked, but when I tried to execute this from within the runner i started encountering this error:

{"message":"Prevented by server hooks"}%

After some debugging I figured out that the problem was that initially I was using a personal access token (I am a maintainer on all repositories in our setup), and in the runner I am trying to use a project access token.
This token has been created in the target repository and I have given it the “Owner” role. It has all permissions. However, the issue persists.

Steps to reproduce

Sample request:

curl --request PUT 
--header "Content-Type: application/json" 
--data '{"branch": "testy-test", "author_email": "author@example.com", 
"content": "some_content", "commit_message": "update file testing"}' 

If “TOKEN” is a personal access token (with Maintainer acces level) this works perfectly.
If “TOKEN” is a project access token belongting the the target project then this seemingly always returns an error

Things I’ve tried:

  • Changing the role of the access token from “maintainer” to “Owner”
  • Given the token all possible privileges, instead of just api/write_repository


As the error is the exact same in the runner as when testing locally (ie. it’s easily reproduceable) I have opted not to include this for now.


Please select whether options apply, and add the version information.

  • Self-managed
  • GitLab.com SaaS
  • Self-hosted Runners


  • GitLab: 16.7.5