[BUG]: Team Membership API calls fail with Octokit high-level methods but work with direct requests

[tillka]

What happened?

Summary

When using Octokit's high-level methods (specifically., octokit.teams.addOrUpdateMembershipForUserInOrg()), I consistently receive a 403 permission error despite having organization owner permissions. However, identical requests using curl or octokit.request() work perfectly.

Steps to Reproduce

• Use Octokit v21.0.0 with a valid GitHub token with organization owner permissions
• Attempt to add a user (from outside of my org) to a (visible) team using the high-level method:

await octokit.teams.addOrUpdateMembershipForUserInOrg({ org: 'OrganizationName', team_slug: 'team-name', username: 'github-username', role: 'member' })

This should be possible according to the docs: https://octokit.github.io/rest.js/v21/#teams-add-or-update-membership-for-user-in-org

I can confirm that

• I am the org owner,
• I am the team maintainer,
• that my personal access token works - so it has the right permissions,
• my app is using the correct token in dev & prod,
• the team is visible (not secret)

Error Message

[HttpError]: You must be an organization owner or team maintainer to add a team membership. - https://docs.github.com/rest/teams/members#add-or-update-team-membership-for-a-user status: 403

Expected Behavior

The high-level method should successfully add the user to the team, just like the following working alternatives do:

Working direct API call with curl:

curl -X PUT \ -H "Authorization: token GITHUB_TOKEN" \ -H "Accept: application/vnd.github.v3+json" \ -d '{"role":"member"}' \ https://api.github.com/orgs/OrganizationName/teams/team-name/memberships/github-username

Working request with Octokit's request method:

await octokit.request('PUT /orgs/{org}/teams/{team_slug}/memberships/{username}', { org: 'OrganizationName', team_slug: 'team-name', username: 'github-username', role: 'member', headers: { 'X-GitHub-Api-Version': '2022-11-28' } })

Versions

Octokit version: 21.0.0
Octokit core: 6.1.2
Node: 20.18.3
Os: Linux

Relevant log output

PUT /orgs/REDACTED/teams/REDACTED/memberships/REDACTED - 403 with id CE5C:10F0A6:3B1AD3:76B6B2:681A028D in 100ms
[HttpError]: You must be an organization owner or team maintainer to add a team membership. - https://docs.github.com/rest/teams/members#add-or-update-team-membership-for-a-user
    [REDACTED some internal error codes]{
  status: 403,
  request: {
    method: 'PUT',
    url: 'https://api.github.com/orgs/REDACTED/teams/REDACTED/memberships/REDACTED',
    headers: {
      accept: 'application/vnd.github.v3+json',
      'user-agent': 'octokit-rest.js/21.0.0 octokit-core.js/6.1.2 Node.js/20.18.3 (linux; x64)',
      authorization: 'token [REDACTED]',
      'content-type': 'application/json; charset=utf-8'
    },
    body: '{"role":"member"}',
    request: { hook: [Function: bound bound s] }
  },
  response: {
    url: 'https://api.github.com/orgs/REDACTED/teams/REDACTED/memberships/REDACTED',
    status: 403,
    headers: {
      'access-control-allow-origin': '*',
      'access-control-expose-headers': 'ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset',
      'content-encoding': 'gzip',
      'content-security-policy': "default-src 'none'",
      'content-type': 'application/json; charset=utf-8',
      date: 'Tue, 06 May 2025 12:37:33 GMT',
      'github-authentication-token-expiration': '2025-12-20 09:33:12 +0100',
      'referrer-policy': 'origin-when-cross-origin, strict-origin-when-cross-origin',
      server: 'github.com',
      'strict-transport-security': 'max-age=31536000; includeSubdomains; preload',
      'transfer-encoding': 'chunked',
      vary: 'Accept-Encoding, Accept, X-Requested-With',
      'x-accepted-github-permissions': 'members=write',
      'x-content-type-options': 'nosniff',
      'x-frame-options': 'deny',
      'x-github-api-version-selected': '2022-11-28',
      'x-github-media-type': 'github.v3; format=json',
      'x-github-request-id': 'CE5C:10F0A6:3B1AD3:76B6B2:681A028D',
      'x-ratelimit-limit': '5000',
      'x-ratelimit-remaining': '4999',
      'x-ratelimit-reset': '1746538653',
      'x-ratelimit-resource': 'core',
      'x-ratelimit-used': '1',
      'x-xss-protection': '0'
    },
    data: {
      message: 'You must be an organization owner or team maintainer to add a team membership.',
      documentation_url: 'https://docs.github.com/rest/teams/members#add-or-update-team-membership-for-a-user',
      status: '403'
    }
  }
}

Code of Conduct

• I agree to follow this project's Code of Conduct

[github-actions]

👋 Hi! Thank you for this contribution! Just to let you know, our GitHub SDK team does a round of issue and PR reviews twice a week, every Monday and Friday! We have a process in place for prioritizing and responding to your input. Because you are a part of this community please feel free to comment, add to, or pick up any issues/PRs that are labeled with Status: Up for grabs. You & others like you are the reason all of this works! So thank you & happy coding! 🚀