Composer and GitHub Two Factor Authentication

Short answer: doesn't work, doesn't say why. Here's what to do.

By Matthew Malinowski, 2013-12-18

I hope this shoots to the top of Google results for this issue, because this is really dumb and no one should have to spend time on it.

You run composer install and get this:

Your GitHub credentials are required to fetch private repository metadata (
The credentials will be swapped for an OAuth token stored in /Users/qux/.composer/config.json, your password will not be stored
To revoke access to this token you can visit

And a prompt:

Username: qux

If you have two factor enabled on your GitHub account, nothing's going to work here. There is nothing you can give composer that will get you the OAuth token you're trying to get. You're always going to get this:

The "" file could not be downloaded (HTTP/1.1 404 Not Found)

Ignore things that say openssl is the problem, or that you compiled PHP wrong. Nope. composer doesn't support two factor. Look at composer's code and at the GH API for 2fa. They don't get along.

Solution: Get your own OAuth token. Visit and click "Create New Token". Name it composer or whatever. Copy it. Run composer config -g paste-your-token-here. Try to use composer again, and it should work.

And finally, good luck if you use multiple GitHub accounts. Um, try to use PHP in only one of them?

Back to Blog Index...