Skip to content
Latchkey

Git "fatal: Authentication failed" over HTTPS in CI

The remote rejected the HTTPS credential. The connection reached the server, but the username/token pair was missing, wrong, or expired - so authentication failed before any repository data moved.

What this error means

A clone, fetch, or push over HTTPS fails with fatal: Authentication failed for 'https://github.com/org/repo.git/'. It is deterministic: the same credential fails every time until it is corrected.

git output
remote: Invalid username or token. Password authentication is not supported
for Git operations.
fatal: Authentication failed for 'https://github.com/org/repo.git/'

Common causes

Missing or invalid token

No credential was supplied, or the token is wrong/revoked. CI often forgets to inject a token for cross-repo or push operations, so the remote sees an empty or bad credential.

Expired or rotated credential

A PAT or App token that worked yesterday may have expired or been rotated. The same workflow then starts failing authentication with no code change.

Wrong username with the token

Over HTTPS the token must be paired with a valid username (for a PAT, your username; for an App/installation token, x-access-token). A mismatched username is rejected.

How to fix it

Embed a token in the remote URL

For installation/App tokens use x-access-token; for a PAT use your username. This is the most explicit way to authenticate a one-off clone/push.

Terminal
git clone https://x-access-token:${GITHUB_TOKEN}@github.com/org/repo.git
# PAT form:
git clone https://USERNAME:${PAT}@github.com/org/repo.git

Let actions/checkout handle auth

On GitHub Actions, supply a token with the needed scope and let the action configure credentials.

.github/workflows/ci.yml
- uses: actions/checkout@v4
  with:
    token: ${{ secrets.REPO_PAT }}   # or the default GITHUB_TOKEN for same-repo access

Rotate and re-store an expired token

  1. Confirm the token is still valid and not expired/revoked.
  2. Regenerate it with the required scopes and update the CI secret.
  3. Re-run; if it still fails, check the username paired with the token.

How to prevent it

  • Use short-lived App/installation tokens or OIDC instead of long-lived PATs.
  • Track token expiry and rotate before it lapses.
  • Inject credentials via the checkout action or credential helper, not literals.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →