Unauthorized to download an org's github package via nuget

[miguel-jko]

I have generated a classic token under my settings with all repo permissions, and read write delete permissions for packages
I have added that token as a secret for the repository
I used that secret for the github actions that publish the package
The package is correctly published (as a private one) and I can clearly see it listed in the org's package page
I have set the my nuget config credentials to be my personal username and the generated token as pwd
I can successfully curl into the org's packages index.json
Yet, when I try to install the package via nuget, it fails with an authentication error

I have also tried to use a fine grained token but there are no package permissions listed for those.

What is going wrong here, how can I access the published package

[hogan-tech]

GitHub Packages for NuGet currently require a classic Personal Access Token, not a fine-grained one. Make sure your token has read:packages, write:packages, delete:packages, and repo scopes.

Check that your nuget.config uses the correct registry URL:

https://nuget.pkg.github.com/ORG_NAME/index.json

and matches your organization name exactly.

Also verify that:

• Your org allows classic PAT access to packages (Settings → Packages → Policies).
• The package visibility and permissions include your user.

If curl -u USER:TOKEN https://nuget.pkg.github.com/ORG_NAME/index.json works but nuget install fails, the issue is with your nuget.config or org policy. Fine-grained tokens don’t yet support NuGet package access.

[miguel-jko]

GitHub Packages for NuGet currently require a classic Personal Access Token, not a fine-grained one. Make sure your token has read:packages, write:packages, delete:packages, and repo scopes.

I have the right permissions set

---

Check that your nuget.config uses the correct registry URL [...] and matches your organization name exactly

It does

---

Settings → Packages → Policies

There is no such option:

---

The package visibility and permissions include your user.

I'm an admin and permissions are inherited

[miguel-jko]

My org does not have SSO configured. The option is not available in the token's setting either.

The URL is correct.

[apo-bozdag]

Fix steps 

1. Authorize your PAT with org SSO
   • Classic PATs must be explicitly authorized for the organization.
   • Open your token → Configure SSO → authorize it for the org hosting the package.
2. Use a classic PAT (not fine‑grained)
   • Scopes needed to consume: read:packages + repo.
   • Publishing can use write:packages + delete:packages, but installs only need read:packages.
3. Point NuGet to the right feed URL
   • It must be your org feed:
   ▫ https://nuget.pkg.github.com/ORG_NAME/index.json
   • ORG_NAME must match exactly (case‑sensitive in practice).
4. Match source and credentials in nuget.config
   • The source key and the credentials key must be identical.
   • Minimal example (keep secrets out of VCS; prefer env vars):

<?xml version="1.0" encoding="utf-8"?>
<configuration>
 <packageSources>
   <clear />
   <add key="github-org" value="https://nuget.pkg.github.com/ORG_NAME/index.json" />
 </packageSources>

 <packageSourceCredentials>
   <github-org>
     <add key="Username" value="YOUR_GITHUB_USERNAME" />
     <add key="ClearTextPassword" value="%GITHUB_PAT%" />
   </github-org>
 </packageSourceCredentials>
</configuration>

• Then run with env var set:
▫ Windows (PowerShell): ‎$env:GITHUB_PAT='ghp_...'
▫ macOS/Linux: ‎export GITHUB_PAT='ghp_...'
5. Verify org/package access policies
• Packages → the private package → Manage access: ensure your user (or team) can read.
• Org Settings → Packages/Policies: allow classic PATs for package access.
6. Sanity checks
• NuGet client/dotnet SDK is up to date.
• You’re a member of the org (private packages aren’t visible to outsiders).
• The package ID + version you’re installing exists on that feed.

Quick commands (alternative to nuget.config) 

dotnet nuget remove source github-org || true
dotnet nuget add source "https://nuget.pkg.github.com/ORG_NAME/index.json" \
 --name "github-org" \
 --username YOUR_GITHUB_USERNAME \
 --password "$GITHUB_PAT" \
 --store-password-in-clear-text

dotnet add package Your.Package.Id --version 1.2.3

Why curl works but NuGet fails 
• Curl hits the feed index anonymously with basic auth; NuGet enforces the SSO authorization + proper source/credential linkage. The missing SSO handshake or a mismatched nuget.config key is the usual culprit.

Do those in order: SSO authorize the classic PAT, fix the feed URL, align nuget.config keys, and check org package policies. After that, installs should work.

[miguel-jko]

My org does not have SSO configured. The option is not available in the token's setting either. What can I then do to enable this if NuGet attempts to enforce SSO?

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬