Git "Authentication failed for ..." with a Token in CI
A token was supplied but the host still rejected authentication. The token itself is the problem - expired, revoked, not granted this repository, or not SSO-authorized for the org.
What this error means
An HTTPS operation that passes a token fails with fatal: Authentication failed for 'https://github.com/org/repo.git/'. The same token may work on a different repo or org, which points at scope/expiry rather than a typo.
remote: Invalid username or token. Password authentication is not supported
for Git operations.
fatal: Authentication failed for 'https://github.com/org/repo.git/'Common causes
Expired or revoked token
A PAT or installation token that lapsed or was rotated authenticates no more. The workflow starts failing with no code change.
Fine-grained token missing this repository
A fine-grained PAT scoped to specific repos cannot authenticate against one outside its access list, so even a read fails.
SSO not authorized for the PAT
For an org with SAML SSO, a classic PAT must be explicitly authorized for that org. An unauthorized PAT is rejected even with correct scopes.
How to fix it
Rotate and re-store the token
- Confirm the token is current - not expired or revoked.
- Regenerate it with the required scopes/permissions and update the CI secret.
- For SAML orgs, authorize the PAT for SSO in the token settings.
Scope the token to this repository
For a fine-grained PAT, add the target repo to its repository access; for an App, confirm the installation covers it.
git ls-remote https://x-access-token:${GITHUB_TOKEN}@github.com/org/repo.git
# success here proves the token can see the repoHow to prevent it
- Prefer short-lived App/installation tokens or OIDC over long-lived PATs.
- Track token expiry and rotate before it lapses.
- Authorize PATs for SSO orgs and scope fine-grained tokens to the right repos.