memories/git-credential-store-email-username-failure-20ca6fd1.md

memory

The plain text file format used by a helper like git-credential-store is formatted as https://username:password@host. When the username is itself an email address (e.g., when authenticating with a GitLab Personal Access Token), the additional @ character collides with the standard delimiter separating the credentials from the target host.

Because the parser is naive, it fails to disambiguate the username's @ from the host's delimiter. Consequently, credential lookups fail silently, and Git reverts to prompting for a password even when ~/.git-credentials is populated correctly.

Resolutions

  • Percent-encode the username: Encode the @ in the email address as %40 (e.g., samuel.adams%40docebo.com) within the store.
  • Use GitLab Deploy Tokens: Where applicable, use a Deploy Token instead of a PAT tied to an email identity. Deploy token usernames are auto-generated opaque strings without specialty characters, avoiding the delimiter issue entirely. They are also narrower in scope (project-level, read_repository only) and distinctively revocable, conforming to the principle of least privilege.