sp

github 403 that wasn't a permissions problem

2 min read Updated February 6, 2026
#debugging #git #macos #github

Removed the Dembrane org from our GitHub enterprise account to stop paying for unused seats. After that, couldn’t push to our repos.

remote: Permission to Dembrane/echo.git denied to spashii.
fatal: unable to access 'https://github.com/Dembrane/echo.git/': The requested URL returned error: 403

First instinct: permissions. Checked GitHub, spashii still had write access. gh auth status showed authenticated. gh auth refresh didn’t help. Still 403.

Actual problem: macOS keychain.

When you auth with GitHub through an enterprise account, macOS stores enterprise-scoped credentials in the system keychain. When we removed the org from enterprise, those cached tokens became invalid. But Git kept using them instead of falling back to regular auth.

Fix:

Terminal window
# Nuke the cached git credentials from macOS keychain
git credential-osxkeychain erase <<EOF
host=github.com
protocol=https
EOF


# Logout of gh CLI entirely
gh auth logout --hostname github.com


# Re-authenticate fresh
gh auth login

That’s it. Cleared the keychain credential, everything worked.

FYI gh auth status showing “authenticated” doesn’t mean the underlying git credential helper is using the right token. They’re separate systems. The GitHub CLI has its own auth store, but the OS keychain credential helper can override it for HTTPS operations.

If you’re debugging a 403 on GitHub that makes no sense, check what your git credential helper actually has cached. On macOS that means looking at the keychain (or just nuking the entry). The error looked like a permissions problem but the root cause was local credential caching from an infra change days earlier.