KhueApps
Home/DevOps/Fixing 'HTTP Basic: Access denied' after Git password removal

Fixing 'HTTP Basic: Access denied' after Git password removal

Last updated: October 07, 2025

Table of Contents

  1. Overview
  2. Quickstart (HTTPS with a token)
  3. Minimal working example
  4. Step-by-step fixes
  5. Host-specific hints
  6. Troubleshooting and diagnostics
  7. Pitfalls to avoid
  8. Performance notes
  9. FAQ

Overview

Many Git hosts (GitHub, GitLab, Bitbucket) removed password-based HTTPS authentication. If you see:

  • HTTP Basic: Access denied
  • Authentication failed for ...

switch from account passwords to one of:

  • Personal Access Tokens (PATs) or App Passwords over HTTPS
  • SSH keys (git@host:owner/repo.git)

This guide covers quick fixes, credential helper setup, CI usage, and troubleshooting in a DevOps context.

Quickstart (HTTPS with a token)

  1. Create a Personal Access Token (PAT) on your Git host with minimal scopes:

    • GitHub: repo scope (and SSO authorization if required)
    • GitLab: read_repository/write_repository
    • Bitbucket: App Password with repository scopes

  2. Configure a credential helper so Git can store the token securely.

  3. Use your account username, and paste the PAT when Git asks for a password.

Minimal working example

The following updates your remote and performs an authenticated fetch using a PAT. Replace placeholders appropriately.

# 1) Choose the correct helper for your OS
# Windows
git config --global credential.helper manager-core
# macOS
# git config --global credential.helper osxkeychain
# Linux (GNOME/KDE)
# git config --global credential.helper libsecret

# 2) Ensure your remote uses HTTPS
git remote -v
# origin  https://github.com/OWNER/REPO.git (fetch)
# origin  https://github.com/OWNER/REPO.git (push)

# 3) Trigger auth and enter credentials when prompted
# Username: your account username (not email)
# Password: your PAT (or app password)

git fetch origin

If you prefer SSH:

# Generate a key and add the public key to your Git host account
ssh-keygen -t ed25519 -C "[email protected]"
ssh-add ~/.ssh/id_ed25519

# Update the remote to SSH and test
git remote set-url origin [email protected]:OWNER/REPO.git
ssh -T [email protected]
git fetch origin

Step-by-step fixes

  1. Replace password with a token (HTTPS)

    • Keep your remote as HTTPS.
    • When prompted, use your account username and paste the PAT as the password.
    • Ensure the token has write scope for pushes.

  2. Switch to SSH keys (recommended for long-lived setups)

    • Generate an ed25519 key and add it to the host account.
    • Update your remote to git@host:OWNER/REPO.git.
    • Start an ssh-agent so you aren’t prompted every time.

  3. Clear bad cached credentials

    • Windows (Git Credential Manager):
      • Command: git credential-manager reject https://HOST/OWNER/REPO
      • Or use Windows Credential Manager UI to remove stale entries.
    • macOS (Keychain): git credential-osxkeychain erase https://HOST
    • Linux (libsecret): remove the entry from your keyring app, or reset with: git credential reject <<EOF protocol=https host=HOST path=OWNER/REPO EOF

  4. Configure credential helpers correctly

    • Windows: git config --global credential.helper manager-core
    • macOS: git config --global credential.helper osxkeychain
    • Linux: git config --global credential.helper libsecret
    • For headless CI, use store with care: git config credential.helper store (writes plaintext in ~/.git-credentials; prefer environment-based methods in CI).

  5. CI/CD usage

    • Store tokens as secret variables in your pipeline system.
    • Inject them into Git at runtime:
# Example: non-interactive fetch/push with an env token (CI)
# GIT_USER and GIT_TOKEN must be provided by CI secrets

repo_url="https://$GIT_USER:[email protected]/OWNER/REPO.git"

git remote set-url origin "$repo_url"
git fetch origin
# ... commit changes ...
git push origin HEAD:main
  • For GitLab CI, you can also use CI_JOB_TOKEN for read operations on the same project.
  1. Organization SSO and 2FA
    • If your org enforces SSO, authorize the PAT for the organization.
    • With 2FA enabled, passwords won’t work; PAT or SSH is required.

Host-specific hints

  • GitHub

    • Username: your GitHub username.
    • PAT scopes: repo for private repos; write:packages if pushing packages.
    • If you get 403 with private repos, ensure the PAT is SSO-authorized.

  • GitLab

    • Username: your GitLab username.
    • PAT scopes: read_repository, write_repository as needed.
    • Consider Deploy Tokens for robots or container builds.

  • Bitbucket Cloud

    • Use App Passwords; select repository read/write scopes.
    • Username: your Bitbucket username; password: app password.

Troubleshooting and diagnostics

  • Clear and retry

    • Remove cached credentials, set helper, retry fetch/push.

  • Check remote URL and permissions

    • git remote -v must show the correct host/owner/repo.
    • A 404 during fetch for a private repo often means your token lacks access.

  • Enable verbose tracing

GIT_TRACE=1 GIT_CURL_VERBOSE=1 git fetch origin

  • Use correct username

    • Most hosts expect your account username, not your email.

  • Multiple accounts on one host

    • Use separate credentials per path: git config --global credential.useHttpPath true.
    • Or prefer SSH with per-host entries in ~/.ssh/config.

  • Corporate proxy or MITM

    • If behind a proxy, set git config --global http.proxy http://proxy:port and ensure the proxy passes auth headers.

Pitfalls to avoid

  • Embedding tokens in remotes long-term

    • https://user:token@host/... may leak in logs and .git/config. Prefer credential helpers and environment injection in CI.

  • Over-scoped or never-expiring tokens

    • Grant minimal scopes and set expirations; rotate regularly.

  • Mixing HTTPS and SSH for the same repo

    • Pick one to avoid confusing cached credentials.

  • Storing tokens in shell history

    • Avoid pasting tokens in commands; use prompts or environment variables.

Performance notes

  • SSH vs HTTPS

    • Performance is similar. Choose SSH for stable, key-based auth and easy multiplexing.

  • Reuse connections

    • Enable SSH ControlMaster for multiple Git operations:
# ~/.ssh/config
Host github.com
  HostName github.com
  User git
  IdentityFile ~/.ssh/id_ed25519
  ControlMaster auto
  ControlPath ~/.ssh/cm-%r@%h:%p
  ControlPersist 5m
  • Speed up CI clones
    • Use shallow clones and limited history:
git -c protocol.version=2 clone --depth 1 --filter=blob:none https://host/OWNER/REPO.git
  • Avoid outdated tuning myths
    • Don’t tweak http.postBuffer; modern Git auto-tunes. Instead, reduce large files or use LFS.

FAQ

  • Why did my password stop working?

    • Hosts removed password auth for Git over HTTPS. Use a PAT or SSH keys.

  • Do I need to change my remote URL for tokens?

    • No. Keep HTTPS; just enter the token when prompted. Or switch to SSH and update the remote.

  • My token still fails. What now?

    • Verify scopes, SSO authorization, correct username, and that the repo exists and you have access.

  • How do I remove a bad stored credential?

    • Use your OS-specific credential helper to erase it, then retry to store the correct one.

  • Is it safe to put tokens in URLs in CI?

    • Temporarily, with masked secrets. Prefer environment variables and avoid committing or logging the URL.

Series: Git

DevOps