Git "fatal: Authentication failed" over HTTPS in CI
The remote rejected the HTTPS credential. The connection reached the server, but the username/token pair was missing, wrong, or expired - so authentication failed before any repository data moved.
What this error means
A clone, fetch, or push over HTTPS fails with fatal: Authentication failed for 'https://github.com/org/repo.git/'. It is deterministic: the same credential fails every time until it is corrected.
remote: Invalid username or token. Password authentication is not supported
for Git operations.
fatal: Authentication failed for 'https://github.com/org/repo.git/'Common causes
Missing or invalid token
No credential was supplied, or the token is wrong/revoked. CI often forgets to inject a token for cross-repo or push operations, so the remote sees an empty or bad credential.
Expired or rotated credential
A PAT or App token that worked yesterday may have expired or been rotated. The same workflow then starts failing authentication with no code change.
Wrong username with the token
Over HTTPS the token must be paired with a valid username (for a PAT, your username; for an App/installation token, x-access-token). A mismatched username is rejected.
How to fix it
Embed a token in the remote URL
For installation/App tokens use x-access-token; for a PAT use your username. This is the most explicit way to authenticate a one-off clone/push.
git clone https://x-access-token:${GITHUB_TOKEN}@github.com/org/repo.git
# PAT form:
git clone https://USERNAME:${PAT}@github.com/org/repo.gitLet actions/checkout handle auth
On GitHub Actions, supply a token with the needed scope and let the action configure credentials.
- uses: actions/checkout@v4
with:
token: ${{ secrets.REPO_PAT }} # or the default GITHUB_TOKEN for same-repo accessRotate and re-store an expired token
- Confirm the token is still valid and not expired/revoked.
- Regenerate it with the required scopes and update the CI secret.
- Re-run; if it still fails, check the username paired with the token.
How to prevent it
- Use short-lived App/installation tokens or OIDC instead of long-lived PATs.
- Track token expiry and rotate before it lapses.
- Inject credentials via the checkout action or credential helper, not literals.