Skip to content
Latchkey

Composer "Could not authenticate against github.com" in CI

Composer needs credentials to fetch a private package or to raise GitHub’s API rate limit, and none were provided in CI. GitHub answers 401/403, and Composer cannot download the package.

What this error means

Composer fails on a private VCS dependency (or under heavy metadata load) with "Could not authenticate against github.com" or an HTTP 403. The same install works locally where your token is configured in auth.json.

composer output
Could not authenticate against github.com
  - Downloading acme/private-lib (1.0.0)
The "https://api.github.com/repos/acme/private-lib/zipball/..." file could not be
downloaded (HTTP/2 403)

Common causes

No credentials in the CI environment

Your local auth.json is not committed (correctly), so CI has no token. Private repos return 403 and the install fails.

A token without access to the private repo

The provided token lacks repo scope or access to the specific private repository, so GitHub rejects the request.

How to fix it

Provide a github-oauth token

Configure Composer auth from a CI secret before installing.

Terminal
composer config --global github-oauth.github.com "$GH_TOKEN"
composer install --no-interaction

Use COMPOSER_AUTH for full auth config

For private Composer registries or multiple hosts, pass auth as JSON via the environment.

Terminal
export COMPOSER_AUTH='{"github-oauth":{"github.com":"'"$GH_TOKEN"'"}}'
composer install --no-interaction

How to prevent it

  • Store the token as a CI secret and configure github-oauth/COMPOSER_AUTH in the job.
  • Keep auth.json out of version control.
  • Scope tokens to the minimum repositories/registries required.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →