Which Personal Access Token scopes are necessary to create a GitHub Repository Webhook?

Question

I'm attempting to use a GitHub Personal Access Token to create a repository webhook on a private GitHub repository my user has access to.

Since this PAT is being used by an automated script, I want its scope to be as limited as possible. As such, I created a PAT with only the admin:repo_hook scope. It seems this scope is too limited, however, as a POST to https://api.github.com/repos/ORGANIZATION/REPO/hooks is returning a 404.

(I've confirmed the repository name and organization name match. The 404 may indicate that the token does not have sufficient permissions to see the repo, as described here)

The API supports Basic Authentication as defined in RFC2617 with a few slight differences. The main difference is that the RFC requires unauthenticated requests to be answered with 401 Unauthorized responses. In many places, this would disclose the existence of user data. Instead, the GitHub API responds with 404 Not Found.

What scopes do I need to add to my Personal Access Token to successfully create a repository webhook?

Answer 1

I figured it out. One additional requirement I overlooked in this case: the user in question wasn't actually an Admin on the repository, meaning even a PAT with full permissions would be unable to create a webhook.

Upgrading the user to Admin on the relevant repository was sufficient to solve this problem.