Support `Bearer` scheme for Authorization headers to align with GitHub APIs and enable JWT support

[behinddwalls]

Describe the feature or problem you'd like to solve

The GitHub CLI currently uses the token scheme for Authorization headers (Authorization: token <TOKEN>), while GitHub's official API documentation and examples consistently use the standard Bearer scheme (Authorization: Bearer <TOKEN>).

This creates three problems:

1. Blocks JWT/GitHub App authentication: GitHub's REST API documentation explicitly states: "if you are passing a JSON web token (JWT), you must use Authorization: Bearer". The current token scheme prevents proper GitHub App integration.

2. Blocks enterprise proxy/SSO integrations: Many enterprises use proxy patterns where SSO issues internal bearer tokens, a proxy exchanges them for GitHub tokens via GitHub App authentication, and forwards requests to GitHub's API. The token scheme forces enterprises to build custom workarounds, maintain CLI forks, or avoid the CLI entirely because GitHub Apps expect Bearer per OAuth 2.0 standards.

3. Diverges from GitHub's own standards: All official GitHub API curl examples use Bearer, and GitHub's own tools (Octokit, GitHub Actions) use Bearer as the standard. The CLI is inconsistent with the broader GitHub ecosystem.

Proposed solution

Change all Authorization headers from token scheme to Bearer scheme:

Current:

req.Header.Set(authorization, fmt.Sprintf("token %s", token))

Proposed:

req.Header.Set(authorization, fmt.Sprintf("Bearer %s", token))

Benefits:

• Enables JWT-based GitHub App authentication
• Removes barriers for enterprise proxy/SSO integrations
• Aligns with GitHub's documented API standards and examples
• Complies with RFC 6750 (OAuth 2.0 Bearer Token Usage)
• Matches GitHub's own tooling ecosystem (Octokit, Actions, etc.)
• Future-proofs the CLI as GitHub continues OAuth 2.0 standardization

Compatibility: According to GitHub's documentation, both schemes are currently accepted for personal access tokens, so this change is non-breaking for individual users while unlocking enterprise and GitHub App scenarios.

Files affected:

• api/http_client.go
• pkg/cmd/auth/shared/login_flow.go
• pkg/cmd/auth/shared/oauth_scopes.go
• Associated test files

Additional context

This issue is related to closed PR #11667 by @nishithsoni, which was closed pending proper justification per contribution guidelines.

References:

• GitHub REST API Authentication - Documents Bearer requirement for JWTs
• GitHub Apps Authentication - GitHub App auth patterns

[github-actions]

Thank you for your issue! We have categorized it as an enhancement (feature or improvement) request, and it has been added to our backlog. In doing so, we are not committing to implementing this feature at this time, but, we will consider it for future releases based on community feedback and our own product roadmap.

Unless you see the help wanted Contributions welcome label, we are not currently looking for external contributions for this feature.

If you come across this issue and would like to see it implemented, please add a thumbs up! This will help us prioritize the feature. Please only comment if you have additional information or viewpoints to contribute.

[BagToad]

Hi @behinddwalls, thanks for the issue. This looks like a duplicate of #11727 so I'm closing in favour of the other issue.

If these are not duplicates and I've misunderstood, please let us know.