---
id: c5a9dff8-5ebe-4e5e-8494-c46333728db8
type: fix
title: "CT 302 Gitea push: embedded-credential URL rejected, use http.extraHeader instead"
tags: [gitea, claude-runner, git, authentication, fix]
importance: 0.6
confidence: 0.8
created: "2026-02-20T14:56:32.846201+00:00"
updated: "2026-02-20T14:56:32.846201+00:00"
---

## Problem

Pushing from CT 302 (claude-runner, 10.10.0.148) to Gitea failed with 403 Forbidden, even though the token was valid. The remote URL had the token embedded in the URL:

```
https://cal:<token>@git.manticorum.com/cal/claude-runner-monitoring.git
```

Gitea rejected this format.

## Fix

1. Set remote to plain HTTPS (no credentials in URL):
   ```
   git remote set-url origin https://git.manticorum.com/cal/claude-runner-monitoring.git
   ```

2. Configure persistent auth header in git config:
   ```
   git config http.https://git.manticorum.com/.extraHeader 'Authorization: token <token>'
   ```

Token is stored in `~/.claude/secrets/claude_runner_monitoring_gitea_token` on the workstation.

## Notes

- SSH git remote also doesn't work from CT 302 — no SSH key registered with Gitea for root@claude-runner
- The `http.extraHeader` approach applies to all repos under `git.manticorum.com` from CT 302
- Credential helper approach failed due to shell escaping issues over SSH