Skip to content
Latchkey

Composer "Could not authenticate against github.com" in CI

Composer uses the GitHub API to fetch package metadata and dist archives. Unauthenticated requests share a low hourly rate limit; once exhausted, GitHub returns 403 and Composer reports it could not authenticate. Supplying a token via COMPOSER_AUTH raises the limit and enables private access.

What this error means

composer install fails with "Could not authenticate against github.com" or "Could not fetch ..., enter your GitHub credentials to go over the API rate limit".

Composer
Could not fetch https://api.github.com/repos/vendor/pkg/zipball/abc123, please
create a GitHub OAuth token to go over the API rate limit
Could not authenticate against github.com

Common causes

Unauthenticated API requests hit the rate limit

Without a token, Composer shares the anonymous GitHub API limit, which CI exhausts quickly.

No COMPOSER_AUTH or github-oauth token in the job

The job never exposes a token, so Composer cannot authenticate to the GitHub API.

How to fix it

Provide a token via COMPOSER_AUTH

  1. Expose a token (the built-in GITHUB_TOKEN is enough for public rate limits) to the composer step.
  2. Set it as a github-oauth entry in COMPOSER_AUTH.
  3. Re-run so requests are authenticated.
.github/workflows/ci.yml
- run: composer install --no-interaction
  env:
    COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GITHUB_TOKEN }}"}}'

Or configure the token with composer config

Set the github-oauth token before install as an alternative to the env var.

Terminal
composer config --global github-oauth.github.com "$GH_TOKEN"

How to prevent it

  • Always pass a github-oauth token via COMPOSER_AUTH in CI.
  • Use least-privilege tokens scoped to the repos you install from.
  • Cache dependencies so fewer API calls are needed per run.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →