[Solved] Your GitHub OAuth token for contains invalid characters on composer install


If you're receiving this error when trying to composer install.

Your GitHub OAuth token for contains invalid characters

Updating Composer

2021.05.20 · Update

The solution is to update Composer to the latest version, which supports the new token format, as suggested by Jordi Boggiano on this tweet. "Composer 1.10.21 and 2.0.12 (both released April 1st) added support for the new GitHub token format."

As of this writing, the following command will install the latest version of Composer on your machine (i.e., 2.0.13). Note that future Composer updates will break the script as shown here, as the hash check won't pass.

php -r "copy('', 'composer-setup.php');"
php -r "if (hash_file('sha384', 'composer-setup.php') === '756890a4488ce9024fc62c56153228907f1545c228516cbf63f885e036d37e9a59d27d63f46af1d4d07ee0f76181c7d3') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;"
php composer-setup.php
php -r "unlink('composer-setup.php');"

On macOS, you can use Homebrew to install (or reinstall) composer.

brew install composer
brew reinstall composer

The brute-force fix


As I mentioned above, both Lukas Kahwe Smith and Jordi Boggiano discouraged tinkering with Composer's auth.json file manually and recommended upgrading Composer to its latest version instead.

Still, here's the brute-fox fix that worked for me. Apparently, editing the auth.json is the only way to update to the latest Composer programmatically, and you can revert it to its original state if you opt for this option. The alternative, of course, is to upgrade as shown above.

Edit the composer authentication configuration file ~/.composer/auth.json.

nano ~/.composer/auth.json

Then replace the following.

  "github-oauth": {
    "": "ghp_[YOUR-PERSONAL-TOKEN]"

With this (basic auth):

  "http-basic": {
    "": {
      "username": "[YOUR-GITHUB-USERNAME]",
      "password": "ghp_[YOUR-PERSONAL-TOKEN]"



To Lukas Kahwe Smith and Jordi Boggiano for pointing this out on Twitter.