Skip to content
Latchkey

Git "Authentication failed" for HTTPS PAT in CI

The HTTPS credential Git supplied was rejected. The token is missing, expired, revoked, or lacks the scope for this repository, so the remote refuses authentication.

What this error means

A clone, fetch, or push over HTTPS fails with fatal: Authentication failed for the repository URL. It fails the same way every time.

git
remote: Invalid username or password.
fatal: Authentication failed for 'https://github.com/org/repo.git/'

Common causes

Missing, expired, or revoked token

The PAT injected into the URL or credential helper is empty, past its expiry, or was rotated.

Insufficient token scope

A classic PAT without repo scope, or a fine-grained token without access to this repository, cannot authenticate for it.

Wrong username field

For an HTTPS token the username should be a placeholder like x-access-token (or the PAT itself), not your account password.

How to fix it

Supply a valid token correctly

  1. Store the PAT as a secret and inject it as the password with an x-access-token username.
  2. Confirm the token has not expired.
.github/workflows/ci.yml
git clone https://x-access-token:${{ secrets.GH_PAT }}@github.com/org/repo.git

Grant the right scope

  1. For classic PATs, enable repo scope.
  2. For fine-grained PATs, add repository access plus Contents read/write.

How to prevent it

  • Use short-lived, least-privilege fine-grained tokens scoped to the exact repos a job needs, and rotate them before expiry. Authentication failures are deterministic, so a retry will not fix bad credentials.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →