The 'remote: Invalid username or password. fatal: Authentication failed' error occurs when Git cannot authenticate with the remote repository. This typically happens because password authentication has been deprecated, you have two-factor authentication enabled, or your stored credentials are outdated.
This error indicates that Git's authentication attempt to the remote repository (such as GitHub, GitLab, or Bitbucket) was rejected. The remote server responded that the provided credentials are invalid. Since August 2021, GitHub and other major Git hosting services have deprecated password-based authentication for Git operations. This means you can no longer use your account password directly - you must use a Personal Access Token (PAT) or SSH keys instead. Common scenarios that trigger this error: 1. **Using password instead of token** - Git hosting services now require Personal Access Tokens for HTTPS authentication 2. **Two-factor authentication (2FA) enabled** - When 2FA is on, password authentication is completely blocked 3. **Stale cached credentials** - Old credentials stored in your system's credential manager are outdated 4. **Recently changed password** - Your password was changed but old credentials are still cached 5. **Incorrect username** - Using email address when the service requires your username
Since password authentication is deprecated, you need to create a Personal Access Token. Here's how for major providers:
GitHub:
1. Go to [github.com/settings/tokens](https://github.com/settings/tokens)
2. Click "Generate new token" > "Generate new token (classic)"
3. Enter a description (e.g., "Git CLI access")
4. Select expiration (or "No expiration" for CI/CD)
5. Select scopes: at minimum check repo for private repositories
6. Click "Generate token"
7. Copy the token immediately - you won't be able to see it again!
GitLab:
1. Go to gitlab.com/-/user_settings/personal_access_tokens
2. Enter a name and optional expiration date
3. Select scopes: read_repository, write_repository for git operations
4. Click "Create personal access token"
5. Copy the token
Bitbucket:
1. Go to bitbucket.org/account/settings/app-passwords
2. Click "Create app password"
3. Enter a label and select permissions
4. Copy the generated password
Old credentials may be stored in your system's credential manager. Clear them before entering new ones:
Windows (Credential Manager):
# Open Credential Manager
control /name Microsoft.CredentialManager
# Or via command line - remove git credentials
cmdkey /delete:git:https://github.comLook under "Windows Credentials" for entries containing github.com, gitlab.com, or bitbucket.org and remove them.
macOS (Keychain):
# Remove GitHub credentials from Keychain
git credential-osxkeychain erase
host=github.com
protocol=https
# Press Enter twice after the above lines
# Or open Keychain Access app and search for "github.com"Linux:
# If using Git Credential Manager
git credential reject
host=github.com
protocol=https
# Press Enter twice
# If using .git-credentials file
# Edit or remove ~/.git-credentials
# If using GNOME Keyring
secret-tool clear server github.comNow use your Personal Access Token instead of your password:
# When prompted for password, enter your PAT instead
git push origin main
Username: your-username
Password: <paste your Personal Access Token here>Store credentials so you don't have to enter them every time:
# Enable credential caching (stores in memory for 15 minutes)
git config --global credential.helper cache
# Or store permanently (less secure but convenient)
git config --global credential.helper store
# On macOS, use Keychain
git config --global credential.helper osxkeychain
# On Windows, use Credential Manager
git config --global credential.helper wincred
# Or the newer manager-core
git config --global credential.helper manager-coreThen run any git command that requires authentication - you'll be prompted once, and credentials will be saved.
You can embed the token directly in the remote URL (useful for CI/CD, but be careful with security):
# View current remote URL
git remote -v
# Update remote URL to include token
git remote set-url origin https://<USERNAME>:<TOKEN>@github.com/<USERNAME>/<REPO>.git
# Example
git remote set-url origin https://johndoe:[email protected]/johndoe/my-repo.gitWarning: This stores your token in plain text in .git/config. For shared machines or public repos, prefer credential helpers or SSH keys.
For CI/CD pipelines, use environment variables:
git remote set-url origin https://${GIT_USER}:${GIT_TOKEN}@github.com/${GIT_USER}/${REPO}.gitSSH keys are more secure and don't expire like tokens. Here's how to set them up:
Generate an SSH key:
# Generate new SSH key
ssh-keygen -t ed25519 -C "[email protected]"
# Start SSH agent
eval "$(ssh-agent -s)"
# Add key to agent
ssh-add ~/.ssh/id_ed25519Add the public key to your Git provider:
# Copy public key to clipboard
cat ~/.ssh/id_ed25519.pub
# Copy the output- GitHub: Settings > SSH and GPG keys > New SSH key
- GitLab: Preferences > SSH Keys > Add key
- Bitbucket: Personal settings > SSH keys > Add key
Update your remote URL to use SSH:
# Change from HTTPS to SSH
git remote set-url origin [email protected]:username/repository.git
# Verify the change
git remote -v
# Test SSH connection
ssh -T [email protected]Make sure you're using your username, not your email address:
# Check current Git username configuration
git config --global user.name
# Check what Git is sending to the remote
GIT_CURL_VERBOSE=1 git fetch 2>&1 | grep -i "user"Find your username:
- GitHub: github.com > Profile icon > Your profile (username is in URL)
- GitLab: gitlab.com > Profile icon > Edit profile
- Bitbucket: bitbucket.org > Personal settings > Account settings
Note: Usernames are often case-sensitive in Git operations. If your username is "JohnDoe", use exactly that, not "johndoe".
### Debugging Authentication Issues
Enable verbose mode to see exactly what's happening:
# Enable Git debugging
GIT_CURL_VERBOSE=1 git push 2>&1
# Or more detailed SSH debugging
GIT_SSH_COMMAND="ssh -vvv" git fetch### Git Credential Manager
Git Credential Manager (GCM) is the recommended way to handle authentication:
# Check if GCM is installed
git credential-manager --version
# Install on Linux
# Download from: https://github.com/git-ecosystem/git-credential-manager/releases
# Configure Git to use it
git config --global credential.helper manager
# GCM supports browser-based authentication flow
git push # Opens browser for OAuth authentication### Multiple Accounts on Same Host
If you have multiple GitHub/GitLab accounts:
# Use SSH config for multiple accounts
# ~/.ssh/config
Host github.com-personal
HostName github.com
User git
IdentityFile ~/.ssh/id_ed25519_personal
Host github.com-work
HostName github.com
User git
IdentityFile ~/.ssh/id_ed25519_work
# Clone using specific identity
git clone [email protected]:company/repo.git### CI/CD Best Practices
For automated pipelines:
# GitHub Actions - use built-in token
- uses: actions/checkout@v4
with:
token: ${{ secrets.GITHUB_TOKEN }}
# Or for cross-repo access, use PAT
- uses: actions/checkout@v4
with:
token: ${{ secrets.PAT_TOKEN }}# GitLab CI - use CI job token
script:
- git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.com/group/repo.git### Token Scope Requirements
Minimum required scopes for common operations:
| Operation | GitHub Scope | GitLab Scope |
|-----------|-------------|--------------|
| Clone private repo | repo | read_repository |
| Push to repo | repo | write_repository |
| Read packages | read:packages | read_registry |
### Handling Special Characters
If your password or token contains special characters:
# URL-encode special characters in the URL
# @ becomes %40
# ! becomes %21
# etc.
# Or use credential helper to avoid URL encoding issues
git config --global credential.helper storekex_exchange_identification: Connection closed by remote host
Connection closed by remote host when connecting to Git server
fatal: unable to access: Proxy auto-configuration failed
How to fix 'Proxy auto-configuration failed' in Git
fatal: unable to access: Authentication failed (proxy requires basic auth)
How to fix 'Authentication failed (proxy requires basic auth)' in Git
fatal: unable to access: no_proxy configuration not working
How to fix 'no_proxy configuration not working' in Git
fatal: unable to read tree object in treeless clone
How to fix 'unable to read tree object in treeless clone' in Git