How do I resolve OpenTofu authentication issues with private Spacelift modules?

Last updated: December 19, 2025

Context

When using OpenTofu with private Spacelift modules, you may encounter a 401 Unauthorized error during module initialization, even after logging in through the CLI. This typically occurs when there are conflicting or outdated authentication credentials stored across different configuration locations.

Answer

To resolve authentication issues with private Spacelift modules, you'll need to perform a complete cleanup of all OpenTofu and Terraform configuration files before re-authenticating. Follow these steps:

  1. First, remove all configuration and credential files by running: 

    unset TF_CLI_CONFIG_FILE TF_TOKEN_spacelift_io TF_TOKEN_app_spacelift_io

rm -rf \
  ~/.config/opentofu \
  ~/.terraform.d \
  ~/.tofu.d \
  ~/.terraformrc \
  ~/.tofurc \
  ~/.config/terraform

  2. Re-authenticate with Spacelift: 

    tofu login spacelift.io

  3. Follow the browser-based authentication process when prompted

  4. Initialize your OpenTofu project: 

    tofu init -upgrade

After completing these steps, you should be able to successfully download and use private modules from Spacelift's registry.

If you continue to experience issues after following these steps, verify that:

  • You have the correct permissions in your Spacelift account to access the private modules

  • Your login policy is correctly configured to allow module access