diff --git a/changelogs/unreleased/250580-fix-graphql-api-token-authentication.yml b/changelogs/unreleased/250580-fix-graphql-api-token-authentication.yml
new file mode 100644
index 00000000000..8beebf53a02
--- /dev/null
+++ b/changelogs/unreleased/250580-fix-graphql-api-token-authentication.yml
@@ -0,0 +1,5 @@
+---
+title: Fix GraphQL token authentication when installed under a relative URL
+merge_request: 42706
+author:
+type: fixed
diff --git a/doc/api/search.md b/doc/api/search.md
index cb90b9a064c..ae663f64755 100644
--- a/doc/api/search.md
+++ b/doc/api/search.md
@@ -27,7 +27,7 @@ GET /search
 
 Search the expression within the specified scope. Currently these scopes are supported: projects, issues, merge_requests, milestones, snippet_titles, users.
 
-If Elasticsearch is enabled additional scopes available are blobs, wiki_blobs and commits. Find more about [the feature](../integration/elasticsearch.md). **(STARTER)**
+If Elasticsearch is enabled additional scopes available are blobs, wiki_blobs, notes, and commits. Find more about [the feature](../integration/elasticsearch.md). **(STARTER)**
 
 The response depends on the requested scope.
 
@@ -362,6 +362,40 @@ Example response:
 NOTE: **Note:**
 `filename` is deprecated in favor of `path`. Both return the full path of the file inside the repository, but in the future `filename` will be only the file name and not the full path. For details, see [issue 34521](https://gitlab.com/gitlab-org/gitlab/-/issues/34521).
 
+### Scope: notes **(STARTER)**
+
+This scope is available only if [Elasticsearch](../integration/elasticsearch.md) is enabled.
+
+```shell
+curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/6/search?scope=notes&search=maxime"
+```
+
+Example response:
+
+```json
+[
+  {
+    "id": 191,
+    "body": "Harum maxime consequuntur et et deleniti assumenda facilis.",
+    "attachment": null,
+    "author": {
+      "id": 23,
+      "name": "User 1",
+      "username": "user1",
+      "state": "active",
+      "avatar_url": "https://www.gravatar.com/avatar/111d68d06e2d317b5a59c2c6c5bad808?s=80&d=identicon",
+      "web_url": "http://localhost:3000/user1"
+    },
+    "created_at": "2017-09-05T08:01:32.068Z",
+    "updated_at": "2017-09-05T08:01:32.068Z",
+    "system": false,
+    "noteable_id": 22,
+    "noteable_type": "Issue",
+    "noteable_iid": 2
+  }
+]
+```
+
 ### Scope: users
 
 ```shell
@@ -402,7 +436,7 @@ GET /groups/:id/search
 
 Search the expression within the specified scope. Currently these scopes are supported: projects, issues, merge_requests, milestones, users.
 
-If Elasticsearch is enabled additional scopes available are blobs, wiki_blobs and commits. Find more about [the feature](../integration/elasticsearch.md). **(STARTER)**
+If Elasticsearch is enabled additional scopes available are blobs, wiki_blobs, notes, and commits. Find more about [the feature](../integration/elasticsearch.md). **(STARTER)**
 
 The response depends on the requested scope.
 
@@ -706,6 +740,40 @@ Example response:
 NOTE **Note:**
 `filename` is deprecated in favor of `path`. Both return the full path of the file inside the repository, but in the future `filename` will be only the file name and not the full path. For details, see [issue 34521](https://gitlab.com/gitlab-org/gitlab/-/issues/34521).
 
+### Scope: notes **(STARTER)**
+
+This scope is available only if [Elasticsearch](../integration/elasticsearch.md) is enabled.
+
+```shell
+curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/6/search?scope=notes&search=maxime"
+```
+
+Example response:
+
+```json
+[
+  {
+    "id": 191,
+    "body": "Harum maxime consequuntur et et deleniti assumenda facilis.",
+    "attachment": null,
+    "author": {
+      "id": 23,
+      "name": "User 1",
+      "username": "user1",
+      "state": "active",
+      "avatar_url": "https://www.gravatar.com/avatar/111d68d06e2d317b5a59c2c6c5bad808?s=80&d=identicon",
+      "web_url": "http://localhost:3000/user1"
+    },
+    "created_at": "2017-09-05T08:01:32.068Z",
+    "updated_at": "2017-09-05T08:01:32.068Z",
+    "system": false,
+    "noteable_id": 22,
+    "noteable_type": "Issue",
+    "noteable_iid": 2
+  }
+]
+```
+
 ### Scope: users
 
 ```shell
diff --git a/doc/user/packages/container_registry/index.md b/doc/user/packages/container_registry/index.md
index 5f89ed40647..5dc7bed7eb0 100644
--- a/doc/user/packages/container_registry/index.md
+++ b/doc/user/packages/container_registry/index.md
@@ -342,7 +342,7 @@ the deleted images.
 
 To delete images from within GitLab:
 
-1. Navigate to your project's or group's **{package}** **Packages & Registries > Container Registry**.
+1. Navigate to your project's or group's **Packages & Registries > Container Registry**.
 1. From the **Container Registry** page, you can select what you want to delete,
    by either:
 
diff --git a/doc/user/packages/go_proxy/index.md b/doc/user/packages/go_proxy/index.md
index edf1528a751..bd3b5b49ebd 100644
--- a/doc/user/packages/go_proxy/index.md
+++ b/doc/user/packages/go_proxy/index.md
@@ -50,7 +50,7 @@ Feature.disable(:go_proxy, Project.find(2))
 ### Enable the Package Registry
 
 The Package Registry is enabled for new projects by default. If you cannot find
-the **{package}** **Packages > List** entry under your project's sidebar, verify
+the **Packages > List** entry under your project's sidebar, verify
 the following:
 
 1. Your GitLab administrator has
diff --git a/doc/user/packages/package_registry/index.md b/doc/user/packages/package_registry/index.md
index 9f954627b05..0f2a729b771 100644
--- a/doc/user/packages/package_registry/index.md
+++ b/doc/user/packages/package_registry/index.md
@@ -17,7 +17,7 @@ packages, which can be easily consumed as a dependency in downstream projects.
 You can view packages for your project or group.
 
 1. Go to the project or group.
-1. Go to **{package}** **Packages & Registries > Package Registry**.
+1. Go to **Packages & Registries > Package Registry**.
 
 You can search, sort, and filter packages on this page.
 
@@ -45,7 +45,7 @@ user who triggered it.
 
 To download a package:
 
-1. Go to **{package}** **Packages & Registries > Package Registry**.
+1. Go to **Packages & Registries > Package Registry**.
 1. Click the name of the package you want to download.
 1. In the **Activity** section, click the name of the package you want to download.
 
@@ -60,7 +60,7 @@ You can delete packages by using [the API](../../../api/packages.md#delete-a-pro
 
 To delete a package in the UI, from your group or project:
 
-1. Go to **{package}** **Packages & Registries > Package Registry**.
+1. Go to **Packages & Registries > Package Registry**.
 1. Find the name of the package you want to delete.
 1. Click **Delete**.
 
@@ -71,7 +71,7 @@ The package is permanently deleted.
 The Package Registry is automatically enabled.
 
 If you are using a self-managed instance of GitLab, your administrator can remove
-the menu item, **{package}** **Packages & Registries**, from the GitLab sidebar. For more information,
+the menu item, **Packages & Registries**, from the GitLab sidebar. For more information,
 see the [administration documentation](../../../administration/packages/index.md).
 
 You can also remove the Package Registry for your project specifically:
@@ -81,7 +81,7 @@ You can also remove the Package Registry for your project specifically:
    **Packages** feature.
 1. Click **Save changes**.
 
-The **{package}** **Packages & Registries > Package Registry** entry is removed from the sidebar.
+The **Packages & Registries > Package Registry** entry is removed from the sidebar.
 
 ## Package workflows
 
diff --git a/lib/gitlab/auth/auth_finders.rb b/lib/gitlab/auth/auth_finders.rb
index ccf52bae9a5..3d3f7212053 100644
--- a/lib/gitlab/auth/auth_finders.rb
+++ b/lib/gitlab/auth/auth_finders.rb
@@ -290,7 +290,7 @@ module Gitlab
       end
 
       def api_request?
-        current_request.path.starts_with?('/api/')
+        current_request.path.starts_with?(Gitlab::Utils.append_path(Gitlab.config.gitlab.relative_url_root, '/api/'))
       end
 
       def archive_request?
diff --git a/spec/lib/gitlab/auth/auth_finders_spec.rb b/spec/lib/gitlab/auth/auth_finders_spec.rb
index 1ac8ebe1369..2ebde145bfd 100644
--- a/spec/lib/gitlab/auth/auth_finders_spec.rb
+++ b/spec/lib/gitlab/auth/auth_finders_spec.rb
@@ -419,10 +419,30 @@ RSpec.describe Gitlab::Auth::AuthFinders do
       expect(find_user_from_web_access_token(:ics)).to eq(user)
     end
 
-    it 'returns the user for API requests' do
-      set_header('SCRIPT_NAME', '/api/endpoint')
+    context 'for API requests' do
+      it 'returns the user' do
+        set_header('SCRIPT_NAME', '/api/endpoint')
 
-      expect(find_user_from_web_access_token(:api)).to eq(user)
+        expect(find_user_from_web_access_token(:api)).to eq(user)
+      end
+
+      it 'returns nil if URL does not start with /api/' do
+        set_header('SCRIPT_NAME', '/relative_root/api/endpoint')
+
+        expect(find_user_from_web_access_token(:api)).to be_nil
+      end
+
+      context 'when relative_url_root is set' do
+        before do
+          stub_config_setting(relative_url_root: '/relative_root')
+        end
+
+        it 'returns the user' do
+          set_header('SCRIPT_NAME', '/relative_root/api/endpoint')
+
+          expect(find_user_from_web_access_token(:api)).to eq(user)
+        end
+      end
     end
   end