diff --git a/src/libfetchers-tests/access-tokens.cc b/src/libfetchers-tests/access-tokens.cc
index 02ca082d4..43f623970 100644
--- a/src/libfetchers-tests/access-tokens.cc
+++ b/src/libfetchers-tests/access-tokens.cc
@@ -20,16 +20,36 @@ public:
     void TearDown() override { }
 };
 
-TEST_F(AccessKeysTest, singleGitHub)
+TEST_F(AccessKeysTest, singleOrgGitHub)
 {
     fetchers::Settings fetchSettings = fetchers::Settings{};
-    fetchSettings.accessTokens.get().insert({"github.com","token"});
+    fetchSettings.accessTokens.get().insert({"github.com/a","token"});
     auto i = Input::fromURL(fetchSettings, "github:a/b");
 
     auto token = i.scheme->getAccessToken(fetchSettings, "github.com", "github.com/a/b");
     ASSERT_EQ(token,"token");
 }
 
+TEST_F(AccessKeysTest, nonMatches)
+{
+    fetchers::Settings fetchSettings = fetchers::Settings{};
+    fetchSettings.accessTokens.get().insert({"github.com","token"});
+    auto i = Input::fromURL(fetchSettings, "gitlab:github.com/evil");
+
+    auto token = i.scheme->getAccessToken(fetchSettings, "gitlab.com", "gitlab.com/github.com/evil");
+    ASSERT_EQ(token,std::nullopt);
+}
+
+TEST_F(AccessKeysTest, noPartialMatches)
+{
+    fetchers::Settings fetchSettings = fetchers::Settings{};
+    fetchSettings.accessTokens.get().insert({"github.com/partial","token"});
+    auto i = Input::fromURL(fetchSettings, "github:partial-match/repo");
+
+    auto token = i.scheme->getAccessToken(fetchSettings, "github.com", "github.com/partial-match");
+    ASSERT_EQ(token,std::nullopt);
+}
+
 TEST_F(AccessKeysTest, repoGitHub)
 {
     fetchers::Settings fetchSettings = fetchers::Settings{};
diff --git a/src/libfetchers/github.cc b/src/libfetchers/github.cc
index c34ed844b..3c8a587c2 100644
--- a/src/libfetchers/github.cc
+++ b/src/libfetchers/github.cc
@@ -179,8 +179,15 @@ struct GitArchiveInputScheme : InputScheme
         size_t answer_match_len = 0;
         if(! url.empty()) {
             for (auto & token : tokens) {
-                auto match_len = url.find(token.first);
-                if (match_len != std::string::npos && token.first.length() > answer_match_len) {
+                auto first = url.find(token.first);
+                if (
+                    first != std::string::npos
+                    && token.first.length() > answer_match_len
+                    && first == 0
+                    && url.substr(0,token.first.length()) == token.first
+                    && (url.length() == token.first.length() || url[token.first.length()] == '/')
+                    )
+                {
                     answer = token.second;
                     answer_match_len = token.first.length();
                 }