Deploy Error Decoder

'Support for password authentication was removed' — fix GitHub auth

Quick answer: Support for password authentication was removed means GitHub no longer accepts your account password for Git over HTTPS (since August 2021). Use a Personal Access Token in place of the password, or switch the remote to SSH. Generate a token in GitHub settings, then use it as the password on your next git push and let the credential helper cache it.

What the error looks like

The push or pull is rejected with a dated notice:

remote: Support for password authentication was removed on
August 13, 2021.
remote: Please see https://docs.github.com/.../token-authentication
fatal: Authentication failed for 'https://github.com/me/repo.git/'

Your credentials aren't "wrong" — the method is no longer allowed. HTTPS Git now needs a token (or you switch to SSH key auth).

Why it happens

Using a password over HTTPS

GitHub disabled account-password auth for Git; only tokens (or SSH) are accepted.

A cached old password

Your OS credential manager keeps replaying the old password, so it keeps failing.

An expired token

You used a PAT, but it expired or lacks the needed scope.

HTTPS remote where SSH is set up

Your remote uses HTTPS even though you already have working SSH keys.

Fix it in three steps

1

Create a Personal Access Token

# GitHub -> Settings -> Developer settings -> Personal access tokens
# Scope: 'repo' for private repos. Copy the token (shown once).

2

Use the token as your password

git push
# Username: your-github-username
# Password: PASTE THE TOKEN (not your account password)
# A credential helper will cache it for next time.

3

Or switch the remote to SSH

git remote set-url origin [email protected]:me/repo.git
# clear a stale cached credential if needed:
git credential-cache exit

The real fix

Tokens and keys, not passwords

The industry moved off reusable passwords for a reason: a scoped, revocable token (or an SSH key) limits blast radius and can be rotated without changing your account password. Pick one — a PAT for HTTPS or SSH keys — and let the credential helper or agent hold it.

How Infraveil handles this

Scoped, revocable credentials by default

Scoped tokens and keys over shared passwords is the same model Infraveil uses. Its agent authenticates to the control plane with its own keys on your own servers — revocable, least-privilege, and recorded — never a shared secret. Once your Git auth uses a token or key, deploys flow through a path that's provable end to end.

Key-based, revocable agent auth — no shared passwords

Least-privilege access for every action the agent takes

Every deploy and access event recorded, on servers you control

See how it works More deploy fixes

Frequently asked questions

Why was password authentication removed from GitHub?

GitHub disabled account-password authentication for Git over HTTPS in August 2021 for security. You must use a Personal Access Token or SSH keys instead.

How do I create a Personal Access Token?

GitHub → Settings → Developer settings → Personal access tokens. Give it the repo scope for private repositories, copy it (it's shown once), and use it as your password when Git prompts.

Where do I put the token?

Use it as the password at the Git prompt over HTTPS. A credential helper (osxkeychain, manager-core, or git config credential.helper) will store it so you aren't prompted again.

Should I use a token or SSH?

Either works. SSH keys avoid token expiry and are convenient for a workstation; PATs are simple for HTTPS and CI. Both are far safer than a reusable password.