Remote: You are not allowed to upload code. 403

I’m confused using GitLib and its security features.

I’ve created a project, create a ‘private’ repository. I’m the maintainer, I’ve uploaded, pushed changed code. And everything worked fine. I’m working on Win10, using the push command button, provided by VCode.

With previous old projects (some years ago, Win7) VCode asked me for a username/password before to upload took place. Now it doesn’t but it works, the ‘master’ is updated.

I created a second project, performing the same steps. But now it refuses to upload the initial code to ‘master’.

git push
remote: You are not allowed to upload code.
fatal: unable to access ‘’: The requested URL returned error: 403

As I understood it correctly, I need to provide my credentials or change/configure something?
And my first project, which worked before, gives the same error message.

  • What are the steps to get access to a GitLab repo? As a private/protected project.
    And where I am the maintainer/owner?
  • How does VCode know which account to use?. My “package.json”, doesn’t contain any GIT configuration.
    Which I found already strange, but it worked fine in my first project. But now it doesn’t anymore. The reason for posting this message.

Note: In my second project, I included a nmp dependency “package.json” to my firts project. For this I created a TOKEN

“dependencies”: {
“project1”: “

Can it be, that with ‘oauth2’ activated??, I need to setup my working environment differently?

Also, I see in ‘package.json’ a label “private”:true. If you set "private": true in your package.json, then npm will refuse to publish it. This is a way to prevent accidental publication of private repositories. Also confusion here.

Any suggestions, what I can read, study, or follow some guidelines? This is completely new to me.

Usually you will find it in the project directory which you cloned locally in the .git/config file. So for example, in the .git/config file you will see something like:

[remote "origin"]
	url =

then just replace username:password or if this doesn’t exist, add it so that it looks similar to above. Alternatively, the password could be an access token you created so then the access token would be put where password is supposed to be. Either way, it will work and allow push/pull.

1 Like

Thank you, it works.
But still, for me, so strange that it worked without the ‘username:password@’.