It does use the token it's just you've hit a rate limit which will refresh in 55 minutes and 9 seconds.

So, why does the initial step of brew search work and if I do a brew cask searchafterwards it also does work?

Further to the previous comment, if the rate limit is one which setting the token does not affect, why does the error message state that setting the token will bypass the limit?

This sounds a lot like the environment variable that should contain the token hasn't been properly set up. The quoted error message is coming _after_ “Searching pull requests...” so it has already finished searching the taps and has moved on to the next step (and this is what is hitting the rate limit). I haven't checked yet, but it could be that different limits apply to different GitHub API operations. brew cask search is unaffected because it doesn't check for pull requests that could be related to the search.

By the way, the whole point of searching for related pull requests is that there's a chance the searched-for software is very new, has been submitted as a pull request, but hasn't ended up in Homebrew just yet.

Does searching the taps include searching casks?

Because searching for a cask that exists just now I got the following output:

$ brew search firefox
Caskroom/cask/firefox                           Caskroom/versions/firefox-beta-uk               Caskroom/versions/firefox-esr-zh-cn             Caskroom/versions/firefox-nl                    Caskroom/versions/firefox-zh-tw
Caskroom/cask/multifirefox                      Caskroom/versions/firefox-beta-zh-cn            Caskroom/versions/firefox-esr                   Caskroom/versions/firefox-pl                    Caskroom/versions/firefoxdeveloperedition-cn
Caskroom/versions/firefox-beta-de               Caskroom/versions/firefox-beta                  Caskroom/versions/firefox-fr                    Caskroom/versions/firefox-pt-br                 Caskroom/versions/firefoxdeveloperedition-ja
Caskroom/versions/firefox-beta-en-gb            Caskroom/versions/firefox-de                    Caskroom/versions/firefox-gl                    Caskroom/versions/firefox-ru                    Caskroom/versions/firefoxdeveloperedition
Caskroom/versions/firefox-beta-ja               Caskroom/versions/firefox-esr-ru                Caskroom/versions/firefox-it                    Caskroom/versions/firefox-uk                    Caskroom/versions/firefoxnightly-ja
Caskroom/versions/firefox-beta-ru               Caskroom/versions/firefox-esr-uk                Caskroom/versions/firefox-ja                    Caskroom/versions/firefox-zh-cn                 Caskroom/versions/firefoxnightly

$ brew search firefox
No formula found for "firefox".
==> Searching pull requests...
Error: GitHub API Error: API rate limit exceeded for XXX.XXX.XXX.XXX. (But here's the good news: Authenticated requests get a higher rate limit. Check out the documentation for more details.)
Try again in 26 minutes 39 seconds, or create a personal access token:
  https://github.com/settings/tokens/new?scopes=&description=Homebrew
and then set the token as: export HOMEBREW_GITHUB_API_TOKEN="your_new_token"

$ brew cask search firefox
==> Exact match
firefox
==> Partial matches
firefox-beta             firefox-beta-ru          firefox-esr              firefox-fr           firefox-nl           firefox-uk           firefoxdeveloperedition-cn   multifirefox
firefox-beta-de          firefox-beta-uk          firefox-esr-ru           firefox-gl           firefox-pl           firefox-zh-cn            firefoxdeveloperedition-ja
firefox-beta-en-gb       firefox-beta-zh-cn       firefox-esr-uk           firefox-it           firefox-pt-br        firefox-zh-tw            firefoxnightly
firefox-beta-ja          firefox-de           firefox-esr-zh-cn        firefox-ja           firefox-ru           firefoxdeveloperedition      firefoxnightly-ja

$ echo $HOMEBREW_GITHUB_API_TOKEN
681xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

I've setup the GitHub token with the following permissions:

• [x] repo Full control of private repositories
• [x] repo:status Access commit
• [x] repo_deployment Access deployment status
• [x] public_repo Access public repositories

Does searching the taps include searching casks?

Yes, though only caskroom/cask and caskroom/versions will be inspected. And it will always search for casks via the GitHub API, even if you have the respective Cask repositories installed locally.

Because searching for a cask that exists just now I got the following output:

I have to run brew search firefox four times in a row before I get this message (with no token set). But once I do set a token with

export HOMEBREW_GITHUB_API_TOKEN=my_secret_token

I again get results for brew search firefox which tells me that the token is being used. (The token doesn't require any specific permissions, e.g. mine only has the permission to create Gists.) Are you sure that you not only assigned the variable in your current shell, but also exported it via export?

In any case, I guess one could say the failure behavior is suboptimal. It's not finding any matches when querying the respective GitHub repositories, but because the search is done in the background and in parallel, the GitHub API error messages related to that part of the search are never shown. Instead, and because apparently no matches were found, the search proceeds by checking for pull requests (and that's the point where you see the error message due to rate limiting).

[…], but because the search is done in the background and in parallel, the GitHub API error messages related to that part of the search are never shown.

Just a clarification on this part: The errors are recorded, but to avoid flooding the user's terminal, we only output the last error and only once all other processing has finished. That's why the error message is shown at the very end and it's not immediately clear from the error message what part of the search caused it. (So the error message doesn't necessarily reference the search for pull requests.)

I have to run brew search firefox four times in a row before I get this message (with no token set).

In a corporate environment where everyone has the same IP you would hit it on first try 😉

I again get results for brew search firefox which tells me that the token is being used. (The token doesn't require any specific permissions, e.g. mine only has the permission to create Gists.) Are you sure that you not only assigned the variable in your current shell, but also exported it via export?

Ok, so I'm using the fish shell and I had set my token with -U, for exporting you need -xor -xU, doing it solved my issue 👍.

This behaviour is just strange because searching for something which yields results for both brew search and brew cask search only fails for the results which belong in Caskroom, and running brew cask search immediately after doesn't fail. It's a bit confusing, but maybe that's just GitHub throttling differently for each repository. Example with one successful search and a subsequent failure:

$ brew search docker
boot2docker                                     docker-cloud                                    docker-machine                                  docker-machine-parallels                        homebrew/completions/docker-completion
docker                                          docker-compose                                  docker-machine-driver-xhyve                     docker-swarm                                    homebrew/completions/docker-compose-completion
docker-clean                                    docker-gen                                      docker-machine-nfs                              homebrew/completions/boot2docker-completion     homebrew/completions/docker-machine-completion
homebrew/emacs/dockerfile-mode                  homebrew/versions/docker171                     Caskroom/cask/boot2docker                       Caskroom/cask/docker                            Caskroom/versions/boot2docker-status-beta
homebrew/versions/docker110                     Caskroom/cask/boot2docker-status                Caskroom/cask/docker-compose                    Caskroom/cask/dockertoolbox

$ brew search docker
boot2docker                                     docker-cloud                                    docker-machine                                  docker-machine-parallels                        homebrew/completions/docker-completion
docker                                          docker-compose                                  docker-machine-driver-xhyve                     docker-swarm                                    homebrew/completions/docker-compose-completion
docker-clean                                    docker-gen                                      docker-machine-nfs                              homebrew/completions/boot2docker-completion     homebrew/completions/docker-machine-completion
Error: GitHub API Error: API rate limit exceeded for XXX.XXX.XXX.XXX. (But here's the good news: Authenticated requests get a higher rate limit. Check out the documentation for more details.)
Try again in 59 minutes 36 seconds, or create a personal access token:
  https://github.com/settings/tokens/new?scopes=&description=Homebrew
and then set the token as: export HOMEBREW_GITHUB_API_TOKEN="your_new_token"

But I guess this is a different issue from the one that I initially raised... Thank you for your help!

Ok, so I'm using the fish shell and I had set my token with -U, for exporting you need -x or -xU, doing it solved my issue 👍.

I'm glad we were able to solve your issue. Most of our instructions assume bash (the default on macOS, or a compatible shell), so users of other shells usually need to know a bit more about their shell and how to adapt those instructions.

This behaviour is just strange because searching for something which yields results for both brew search and brew cask search only fails for the results which belong in Caskroom, and running brew cask search immediately after doesn't fail. It's a bit confusing, […]

I agree that this could be improved and is a bit confusing. Really the main difference and the cause for the issue you've experienced is that brew search and brew cask search are completely independent of each other. The former performs an online search when looking for casks, even if it theoretically could query the local database (this is meant to help users to find stuff if they don't use Cask just yet). The latter directly queries the local database and is thus unaffected by any rate limits the former might have triggered …