This error occurs when pushing to a GitHub organization repository that has OAuth App access restrictions enabled. The OAuth application you're using (such as Git Credential Manager or an IDE) hasn't been approved by your organization administrator to access organization resources.
This error indicates that your GitHub organization has enabled OAuth App access restrictions, which prevent third-party OAuth applications from accessing organization repositories unless they've been explicitly approved by an organization owner. When you authenticate to GitHub using tools like Git Credential Manager, Visual Studio Code, JetBrains IDEs, or other Git clients, these tools often use OAuth to authenticate. If your organization has enabled OAuth App access restrictions (which is the default for new organizations), these applications must be approved before they can access organization resources. The restriction is a security feature that helps organizations control which third-party applications can access their repositories, member information, and other sensitive data. When a member tries to use an unapproved OAuth app: 1. The authentication is blocked 2. The member receives this error message 3. The organization owner is notified of the access request This is different from Personal Access Token (PAT) restrictions - OAuth Apps are separate applications that use OAuth flow to authenticate, while PATs are tokens you generate directly in GitHub settings.
First, confirm that OAuth App access restrictions are causing the issue:
Check your access request status:
1. Go to [github.com/settings/organizations](https://github.com/settings/organizations)
2. Find the organization in question
3. Look for any pending access requests
Signs OAuth restrictions are enabled:
- The error specifically mentions "OAuth App access restrictions enabled"
- You can access personal repositories but not organization repositories
- The issue affects multiple tools that use OAuth (IDE, Git client, etc.)
Check organization settings (if you're an owner):
1. Go to the organization's page on GitHub
2. Click Settings > Third-party Access > OAuth app policy
3. If you see approved/denied apps and "Restrictions enabled", OAuth restrictions are active
If you're a member (not an owner) of the organization, you need to request access:
Automatic request:
When you try to authenticate an OAuth app to an organization with restrictions, GitHub automatically sends an access request to organization owners. Check if a request was already sent.
Manual request:
1. Go to [github.com/settings/connections/applications](https://github.com/settings/connections/applications)
2. Find the OAuth application (e.g., "Git Credential Manager", "VS Code", "IntelliJ IDEA")
3. Click on the application
4. Look for the organization and click Request access or Grant next to it
Contact your administrator:
Hi [Admin Name],
I'm getting an "OAuth App access restrictions enabled" error when trying to
push to the [repo-name] repository in our organization.
Could you please approve the [Application Name] OAuth app for our organization?
You can do this at: https://github.com/organizations/[org-name]/settings/oauth_application_policy
Thanks!Your admin will receive a notification and can approve the request from the organization settings.
If you're an organization owner or administrator, you can approve OAuth apps:
Approve a specific OAuth app:
1. In the upper-right corner of GitHub, click your profile picture > Organizations
2. Next to your organization, click Settings
3. In the sidebar, under "Third-party Access", click OAuth app policy
4. Find the application that needs approval (look for pending requests)
5. Click Review next to the application
6. Review the permissions requested
7. Click Grant access to approve
Review pending access requests:
1. Navigate to https://github.com/organizations/YOUR_ORG/settings/oauth_application_policy
2. Look under "Pending requests" section
3. Review and approve legitimate requests from team members
Common OAuth apps to approve:
- Git Credential Manager - Used by Git for Windows and Git Credential Manager Core
- GitHub Desktop - Official GitHub desktop application
- Visual Studio Code - Microsoft's code editor
- JetBrains IDEs - IntelliJ, PyCharm, WebStorm, etc.
- Sourcetree - Atlassian's Git client
- GitKraken - Popular cross-platform Git client
SSH authentication bypasses OAuth restrictions entirely. This is often the quickest workaround:
Step 1: Generate a new SSH key:
ssh-keygen -t ed25519 -C "[email protected]"
# Press Enter to accept default location
# Enter a passphrase (recommended)Step 2: Add the key to your SSH agent:
# Start the SSH agent
eval "$(ssh-agent -s)"
# Add your key
ssh-add ~/.ssh/id_ed25519Step 3: Add the public key to GitHub:
# Copy your public key
cat ~/.ssh/id_ed25519.pub1. Go to [github.com/settings/keys](https://github.com/settings/keys)
2. Click New SSH key
3. Paste your public key and give it a descriptive title
4. Click Add SSH key
Step 4: Change your remote URL to SSH:
# Check current remote
git remote -v
# Change from HTTPS to SSH
git remote set-url origin [email protected]:ORGANIZATION/REPO.git
# Test the connection
ssh -T [email protected]Note: If your organization has restricted SSH keys created before February 2014, you'll need to generate a new key as shown above.
Personal Access Tokens provide another way to bypass OAuth restrictions:
Generate a fine-grained PAT:
1. Go to [github.com/settings/tokens?type=beta](https://github.com/settings/tokens?type=beta)
2. Click Generate new token
3. Give it a descriptive name (e.g., "Development - CLI")
4. Set Resource owner to the organization (if visible)
5. Under Repository access, select the repos you need
6. Under Permissions, enable:
- Contents: Read and write (for push/pull)
- Metadata: Read-only
7. Click Generate token and copy it immediately
Or generate a classic PAT:
1. Go to [github.com/settings/tokens](https://github.com/settings/tokens)
2. Click Generate new token (classic)
3. Select scopes: repo (full control of private repositories)
4. Click Generate token and copy it
Use the PAT for authentication:
# Clear cached OAuth credentials first (see next step)
# Then when prompted for password, use your PAT instead
git push origin main
# Username: your-github-username
# Password: [paste your PAT here]Note: Fine-grained PATs may also require organization approval if the org has enabled PAT restrictions. Check with your admin.
If you're switching authentication methods, clear your cached OAuth credentials:
On Windows (Credential Manager):
# Open Credential Manager
control /name Microsoft.CredentialManager
# Or via command line
cmdkey /list | findstr github
cmdkey /delete:git:https://github.com1. Open Control Panel > Credential Manager > Windows Credentials
2. Find entries containing "github.com" or "git:"
3. Click each entry and select Remove
On macOS (Keychain):
# Remove GitHub credentials from Keychain
git credential-osxkeychain erase
host=github.com
protocol=https
# Press Enter twice
# Or open Keychain Access app and search for "github"On Linux:
# If using credential store
rm ~/.git-credentials
# If using credential cache
git credential-cache exit
# Check what credential helper is configured
git config --global credential.helperAfter clearing credentials, your next Git operation will prompt you to authenticate again with your new method.
If OAuth restrictions are causing widespread issues and your organization doesn't require them, you can disable them:
Warning: This reduces security by allowing all OAuth apps to access organization resources without approval. Consider the security implications before disabling.
To disable OAuth restrictions:
1. In the upper-right corner of GitHub, click your profile picture > Organizations
2. Next to your organization, click Settings
3. In the sidebar, under "Third-party Access", click OAuth app policy
4. Click Remove restrictions
5. Read the warning about the implications
6. Click Yes, remove application restrictions
Better alternative - Approve specific apps:
Instead of disabling restrictions entirely, consider:
1. Keeping restrictions enabled
2. Proactively approving common developer tools (VS Code, JetBrains, Git Credential Manager)
3. Having a process for team members to request app approval
Re-enabling restrictions:
If you disable restrictions and want to re-enable them later:
1. Go to Organization Settings > OAuth app policy
2. Click Enable restrictions
3. Note: This will revoke access for all currently authorized OAuth apps
Sometimes the OAuth authorization becomes stale or corrupted. Re-authorizing can fix the issue:
Revoke and re-authorize:
1. Go to [github.com/settings/connections/applications](https://github.com/settings/connections/applications)
2. Find the OAuth application (e.g., "Git Credential Manager")
3. Click on the application name
4. Click Revoke access or Revoke
5. Clear your local credentials (see previous step)
6. Perform a Git operation (push, pull, fetch) to trigger re-authentication
7. Complete the OAuth flow in your browser when prompted
For Git Credential Manager specifically:
# Reconfigure Git Credential Manager
git credential-manager unconfigure
git credential-manager configure
# Or reset it entirely
git config --global --unset credential.helper
git config --global credential.helper managerFor VS Code:
1. Open Command Palette (Ctrl+Shift+P / Cmd+Shift+P)
2. Type "Sign out" and select "GitHub: Sign Out"
3. Restart VS Code
4. When prompted, sign in again with your GitHub account
After re-authorizing, if the organization has OAuth restrictions, you'll need to request access again.
### Understanding OAuth vs. PAT vs. SSH
GitHub supports multiple authentication methods, and OAuth restrictions only affect one:
| Method | Affected by OAuth Restrictions | Best For |
|--------|-------------------------------|----------|
| OAuth Apps | Yes | IDE integrations, third-party tools |
| Personal Access Tokens | No (but may have separate restrictions) | CLI, scripts, automation |
| SSH Keys | No (unless pre-Feb 2014) | Daily development, secure access |
| GitHub CLI | Depends on auth method | Quick operations, PR management |
### Why Organizations Enable OAuth Restrictions
Organizations enable these restrictions to:
1. Prevent data leaks - Unapproved apps can't access organization data
2. Control third-party access - Admins can audit which tools have access
3. Compliance requirements - Many regulations require controlling data access
4. Protect sensitive repos - Ensure only approved tools can access code
### SSH Keys and OAuth Restrictions
A common misconception is that SSH bypasses all restrictions. However:
# SSH keys created before February 2014 may be blocked
# Generate a new key to ensure compatibility
ssh-keygen -t ed25519 -C "[email protected]"### GitHub Enterprise Considerations
On GitHub Enterprise Cloud and Server, OAuth restrictions work similarly but may have additional configuration options:
- SAML SSO may add another layer of authorization requirements
- Organization policies may require SSO re-authentication
- Enterprise-level policies may override organization settings
### Debugging OAuth Issues
# Check which credential helper is being used
git config --list --show-origin | grep credential
# Test authentication without pushing
git ls-remote origin
# Enable verbose SSH debugging
GIT_SSH_COMMAND="ssh -v" git fetch
# Check your GitHub authentication status (if using gh cli)
gh auth status### CI/CD Pipeline Considerations
For automated pipelines:
1. Use deploy keys - Repository-specific SSH keys that bypass OAuth
2. Use GitHub Apps - Create a GitHub App for your organization (different from OAuth Apps)
3. Use fine-grained PATs - Scoped tokens approved for specific repositories
4. Use GITHUB_TOKEN - Built-in token for GitHub Actions workflows
# GitHub Actions example - GITHUB_TOKEN is automatically available
- name: Push changes
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
git push origin main### Audit Log for OAuth Events
Organization owners can review OAuth-related events in the audit log:
1. Go to Organization Settings > Audit log
2. Filter by action:oauth_authorization or action:org.oauth_app
3. Review who is requesting access and which apps are being used
kex_exchange_identification: Connection closed by remote host
Connection closed by remote host when connecting to Git server
fatal: unable to access: Proxy auto-configuration failed
How to fix 'Proxy auto-configuration failed' in Git
fatal: unable to access: Authentication failed (proxy requires basic auth)
How to fix 'Authentication failed (proxy requires basic auth)' in Git
fatal: unable to access: no_proxy configuration not working
How to fix 'no_proxy configuration not working' in Git
fatal: unable to read tree object in treeless clone
How to fix 'unable to read tree object in treeless clone' in Git