Skip to content

managing-your-personal-access-tokens.md

Latest commit

 

History

History
341 lines (258 loc) · 30.1 KB

managing-your-personal-access-tokens.md

File metadata and controls

341 lines (258 loc) · 30.1 KB
title Managing your personal access tokens
shortTitle Manage {% data variables.product.pat_generic %}s
intro You can use a {% data variables.product.pat_generic %} in place of a password when authenticating to {% data variables.product.prodname_dotcom %} in the command line or with the API.
redirect_from
/articles/creating-an-oauth-token-for-command-line-use
/articles/creating-an-access-token-for-command-line-use
/articles/creating-a-personal-access-token-for-the-command-line
/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
/github/authenticating-to-github/creating-a-personal-access-token
/github/authenticating-to-github/keeping-your-account-and-data-secure/creating-a-personal-access-token
/github/extending-github/git-automation-with-oauth-tokens
/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token
versions
fpt ghes ghec
*
*
*
category
Manage access credentials

Warning

Treat your access tokens like passwords. For more information, see Keeping your {% data variables.product.pat_generic %}s secure.

About {% data variables.product.pat_generic %}s

{% data variables.product.pat_generic_caps %}s are an alternative to using passwords for authentication to {% data variables.product.github %} when using the {% data variables.product.github %} API or the command line.

{% data variables.product.pat_generic_caps %}s are intended to access {% data variables.product.company_short %} resources on behalf of yourself. To access resources on behalf of an organization, or for long-lived integrations, you should use a {% data variables.product.prodname_github_app %}. For more information, see AUTOTITLE.

{% data reusables.user-settings.token_access_capabilities %} For example, a {% data variables.product.pat_generic %} can be configured with an admin:org scope, but if the owner of the token is not an organization owner, the token will not give administrative access to the organization.

Types of {% data variables.product.pat_generic %}s

{% data variables.product.company_short %} currently supports two types of {% data variables.product.pat_generic %}s: {% data variables.product.pat_v2 %}s and {% data variables.product.pat_v1_plural %}. {% data variables.product.company_short %} recommends that you use {% data variables.product.pat_v2 %}s instead of {% data variables.product.pat_v1_plural %} whenever possible.

Note

{% data variables.product.pat_v2_caps %}s, while more secure and controllable, cannot accomplish every task that a {% data variables.product.pat_v1 %} can. See the section on {% data variables.product.pat_v2_caps_plural %} limitations below to learn more.

Both {% data variables.product.pat_v2 %}s and {% data variables.product.pat_v1_plural %} are tied to the user who generated them and will become inactive if the user loses access to the resource.

Organization owners can set a policy to restrict the access of {% data variables.product.pat_v1_plural %} to their organization{% ifversion ghec or ghes %}, and enterprise owners can restrict the access of {% data variables.product.pat_v1_plural %} to the enterprise or organizations owned by the enterprise{% endif %}. For more information, see AUTOTITLE.

{% data variables.product.pat_v2_caps %}s

{% data variables.product.pat_v2_caps_plural %} have several security advantages over {% data variables.product.pat_v1_plural %}, but also have limitations that may prevent you from using them in every scenario. These limits, and our plans to fix them, can be found in the section below.

If you can use a {% data variables.product.pat_v2 %} for your scenario, you'll benefit from these improvements:

  • Each token is limited to access resources owned by a single user or organization.
  • Each token can be further limited to only access specific repositories for that user or organization.
  • Each token is granted specific, fine-grained permissions, which offer more control than the scopes granted to {% data variables.product.pat_v1_plural %}.
  • Organization owners can require approval for any {% data variables.product.pat_v2 %}s that can access resources in the organization.{% ifversion ghec or ghes %}
  • Enterprise owners can require approval for any {% data variables.product.pat_v2 %}s that can access resources in organizations owned by the enterprise.{% endif %}
{% data variables.product.pat_v2_caps_plural %} limitations

{% data variables.product.pat_v2_caps_plural %} do not support every feature of {% data variables.product.pat_v1_plural %}. These feature gaps are not permanent - {% data variables.product.company_short %} is working to close them. You can review our public roadmap for more details on when these scenarios will be supported.

The major gaps in {% data variables.product.pat_v2 %}s are:

  • Using {% data variables.product.pat_v2 %} to contribute to public repos where the user is not a member.
  • Using {% data variables.product.pat_v2 %} to contribute to repositories where the user is an outside or repository collaborator.
  • Using {% data variables.product.pat_v2 %} to access multiple organizations at once. {% ifversion ghes or ghec %}* Using {% data variables.product.pat_v2 %} to access internal resources within an enterprise the user belongs to.
  • Using {% data variables.product.pat_v2 %} to call APIs that manage the Enterprise account. {% endif %}* Using {% data variables.product.pat_v2 %} to access Packages.
  • Using {% data variables.product.pat_v2 %} to call the Checks API.
  • Using {% data variables.product.pat_v2 %} to access Projects owned by a user account.

All of these gaps will be solved over time, as {% data variables.product.company_short %} continues to invest in more secure access patterns.

{% data variables.product.pat_v1_caps_plural %}

{% data reusables.user-settings.patv2-limitations %}

If you choose to use a {% data variables.product.pat_v1 %}, keep in mind that it will grant access to all repositories within the organizations that you have access to, as well as all personal repositories in your personal account.

{% ifversion fpt or ghec %}{% data reusables.user-settings.removes-personal-access-tokens %} {% endif %}

Keeping your {% data variables.product.pat_generic %}s secure

{% data variables.product.pat_generic_caps %}s are like passwords, and they share the same inherent security risks. Before creating a new {% data variables.product.pat_generic %}, consider if there is a more secure method of authentication available to you:

  • To access {% data variables.product.company_short %} from the command line, you can use {% data variables.product.prodname_cli %} or Git Credential Manager instead of creating a {% data variables.product.pat_generic %}.
  • When using a {% data variables.product.pat_generic %} in a {% data variables.product.prodname_actions %} workflow, consider whether you can use the built-in GITHUB_TOKEN instead. For more information, see AUTOTITLE.

If these options are not possible, and you must create a {% data variables.product.pat_generic %}, consider using another CLI service to store your token securely.

When using a {% data variables.product.pat_generic %} in a script, you can store your token as a secret and run your script through {% data variables.product.prodname_actions %}. For more information, see AUTOTITLE.{%- ifversion ghec or fpt %} You can also store your token as a {% data variables.product.prodname_codespaces %} secret and run your script in {% data variables.product.prodname_codespaces %}. For more information, see AUTOTITLE.{% endif %}

For more information about best practices, see AUTOTITLE.

Creating a {% data variables.product.pat_v2 %}

Note

There is a limit of 50 {% data variables.product.pat_v2_plural %} you can create. If you require more tokens or are building automations, consider using a {% data variables.product.prodname_github_app %} for better scalability and management. For more information, see AUTOTITLE.

{% ifversion fpt or ghec %}1. Verify your email address, if it hasn't been verified yet.{% endif %} {% data reusables.user-settings.access_settings %} {% data reusables.user-settings.developer_settings %}

  1. In the left sidebar, under {% octicon "key" aria-hidden="true" aria-label="key" %} {% data variables.product.pat_generic_caps %}s, click Fine-grained tokens.

  2. Click Generate new token.

  3. Under Token name, enter a name for the token.

  4. Under Expiration, select an expiration for the token. Infinite lifetimes are allowed but may be blocked by a maximum lifetime policy set by your organization or enterprise owner. For more information, See Enforcing a maximum lifetime policy for {% data variables.product.pat_generic_plural %}.

  5. Optionally, under Description, add a note to describe the purpose of the token.

  6. Under Resource owner, select a resource owner. The token will only be able to access resources owned by the selected resource owner. Organizations that you are a member of will not appear if the organization has blocked the use of {% data variables.product.pat_v2 %}s. For more information, see AUTOTITLE.{% ifversion ghec %} You may be required to perform single sign-on (SSO) if the selected organization requires it and you do not already have an active session.{% endif %}

  7. Optionally, if the resource owner is an organization that requires approval for {% data variables.product.pat_v2 %}s, below the resource owner, in the box, enter a justification for the request.

  8. Under Repository access, select which repositories you want the token to access. You should choose the minimal repository access that meets your needs. Tokens always include read-only access to all public repositories on {% data variables.product.prodname_dotcom %}.

  9. If you selected Only select repositories in the previous step, under the Selected repositories dropdown, select the repositories that you want the token to access.

  10. Under Permissions, select which permissions to grant the token. Depending on which resource owner and which repository access you specified, there are repository, organization, and account permissions. You should choose the minimal permissions necessary for your needs.

    The REST API reference document for each endpoint states whether the endpoint works with {% data variables.product.pat_v2 %}s and states what permissions are required in order for the token to use the endpoint. Some endpoints may require multiple permissions, and some endpoints may require one of multiple permissions. For an overview of which REST API endpoints a {% data variables.product.pat_v2 %} can access with each permission, see AUTOTITLE.

  11. Click Generate token.

If you selected an organization as the resource owner and the organization requires approval for {% data variables.product.pat_v2 %}s, then your token will be marked as pending until it is reviewed by an organization administrator. Your token will only be able to read public resources until it is approved. If you are an owner of the organization, your request is automatically approved. For more information, see AUTOTITLE.

{% ifversion fpt or ghec %}

Pre-filling {% data variables.product.pat_v2 %} details using URL parameters

You can share templates for a {% data variables.product.pat_v2 %} via links. By directing users to token creation with relevant fields already completed, you make it easier to automate workflows and improve their developer experience.

Each supported field can be set using a specific query parameter. All parameters are optional and validated by the token generation form to ensure that the combinations of permissions and resource owner make sense.

Here is an example URL template, with line breaks for legibility:

https://github.com/settings/personal-access-tokens/new
  ?name=Repo-reading+token
  &description=Just+contents:read
  &target_name=octodemo
  &expires_in=45
  &contents=read

Try the URL to create a token with contents:read and metadata:read, with the given name and description and an expiration date 45 days in the future. You'll see an error message indicating Cannot find the specified resource owner: octodemo because you're not a member of the octodemo organization.

Below are some example URLs that generate the tokens we see most often:

Supported query parameters

To create your own token template, follow the query parameter details provided in this table:

Parameter Type Example Value Valid Values Description
name string Deploy%20Bot ≤ 40 characters, URL-encoded Pre-fills the token's display name.
description string Used+for+deployments ≤ 1024 chars, URL-encoded Pre-fills the description for the token.
target_name string octodemo User or organization slug Sets the token's resource target. This is the owner of the repositories that the token will be able to access. If not provided, defaults to the current user's account.
expires_in integer 30 or none Integer between 1 and 366, or none Days until expiration or none for non-expiring. If not provided, the default is 30 days, or less if the target has a token lifetime policy set.
<permission> string contents=read A series of permission and access levels. The permissions the token should have. Permissions can be set to read, write, or admin, but not every permission supports each of those levels.

Permissions

To set a permission, use its name as a query parameter, with the value specifying the desired access level. Valid access levels are read, write, and admin, but not every permission supports every level — some are read-only, some are write-only, and only a few accept admin.

Combine multiple permissions in the form &contents=read&pull_requests=write&..., using as many as needed.

Tip

You do not need to include both read and write for a permission in your URL — write always includes read, and admin always includes write.

Account permissions

Important

Account permissions can only be used when the current user is the resource owner.

Parameter name Display name Access levels
blocking Block another user read, write
codespaces_user_secrets {% data variables.product.prodname_codespaces %} user secrets read, write
copilot_messages {% data variables.copilot.copilot_chat_short %} read
copilot_editor_context {% data variables.product.prodname_copilot_short %} Editor Context read
copilot_requests {% data variables.product.prodname_copilot_short %} requests write
emails Email addresses read, write
user_events Events read
followers Followers read, write
gpg_keys GPG keys read, write
gists Gists write
keys Git SSH keys read, write
interaction_limits Interaction limits read, write
knowledge_bases Knowledge bases read, write
user_models Models read
plan Plan read
private_repository_invitations Private repository invitations read
profile Profile write
git_signing_ssh_public_keys SSH signing keys read, write
starring Starring read, write
watching Watching read, write

{% ifversion copilot %}

Note

The copilot_requests permission enables making {% data variables.product.prodname_copilot_short %} requests for the given user. These requests count towards the user's premium request allowance. Additional requests beyond the allowance incur overage billing. For more information about {% data variables.product.prodname_copilot_short %} requests and billing, see AUTOTITLE.

{% endif %}

Repository permissions

Repository permissions work for both user and organization resource owners.

Parameter name Display name Access levels
actions Actions read, write
administration Administration read, write
{% ifversion artifact-metadata %}
artifact_metadata Artifact metadata read, write
{% endif %}
attestations Attestations read, write
{% ifversion code-quality %}
code_quality Code quality read, write
{% endif %}
security_events Code scanning alerts read, write
codespaces {% data variables.product.prodname_codespaces %} read, write
codespaces_lifecycle_admin {% data variables.product.prodname_codespaces %} lifecycle admin read, write
codespaces_metadata {% data variables.product.prodname_codespaces %} metadata read
codespaces_secrets {% data variables.product.prodname_codespaces %} secrets write
statuses Commit statuses read, write
contents Contents read, write
repository_custom_properties Custom properties read, write
vulnerability_alerts {% data variables.product.prodname_dependabot_alerts %} read, write
dependabot_secrets Dependabot secrets read, write
deployments Deployments read, write
discussions Discussions read, write
environments Environments read, write
issues Issues read, write
merge_queues Merge queues read, write
metadata Metadata read
pages Pages read, write
pull_requests Pull requests read, write
repository_advisories Repository security advisories read, write
secret_scanning_alerts {% data variables.product.prodname_secret_scanning_caps %} alerts read, write
secrets Secrets read, write
actions_variables Variables read, write
repository_hooks Webhooks read, write
workflows Workflows write

Organization permissions

Important

Organization permissions can only be used if the resource owner is an organization.

Parameter name Display name Access levels
organization_api_insights API Insights read
organization_administration Administration read, write
organization_user_blocking Blocking users read, write
organization_campaigns Campaigns read, write
organization_custom_org_roles Custom organization roles read, write
organization_custom_properties Custom repository properties read, write, admin
organization_custom_roles Custom repository roles read, write
organization_events Events read
organization_copilot_seat_management {% data variables.copilot.copilot_for_business %} read, write
issue_types Issue Types read, write
organization_knowledge_bases Knowledge bases read, write
members Members read, write
organization_models Models read
organization_network_configurations Network configurations read, write
organization_announcement_banners Organization announcement banners read, write
organization_codespaces Organization {% data variables.product.prodname_codespaces %} read, write
organization_codespaces_secrets Organization {% data variables.product.prodname_codespaces %} secrets read, write
organization_codespaces_settings Organization {% data variables.product.prodname_codespaces %} settings read, write
organization_dependabot_secrets Organization {% data variables.product.prodname_dependabot %} secrets read, write
organization_code_scanning_dismissal_requests Organization dismissal requests for {% data variables.product.prodname_code_scanning %} read, write
organization_private_registries Organization private registries read, write
organization_plan Plan read
organization_projects {% data variables.product.prodname_projects_v2 %} read, write, admin
organization_secrets Secrets read, write
organization_self_hosted_runners Self-hosted runners read, write
team_discussions Team discussions read, write
organization_actions_variables Variables read, write
organization_hooks Webhooks read, write

{% endif %}

Creating a {% data variables.product.pat_v1 %}

Note

Organization owners can restrict the access of {% data variables.product.pat_v1 %} to their organization. If you try to use a {% data variables.product.pat_v1 %} to access resources in an organization that has disabled {% data variables.product.pat_v1 %} access, your request will fail with a 403 response. Instead, you must use a {% data variables.product.prodname_github_app %}, {% data variables.product.prodname_oauth_app %}, or {% data variables.product.pat_v2 %}.

Warning

Your {% data variables.product.pat_v1 %} can access every repository that you can access. {% data variables.product.company_short %} recommends that you use {% data variables.product.pat_v2 %}s instead, which you can restrict to specific repositories. {% data variables.product.pat_v2_caps %}s also enable you to specify fine-grained permissions instead of broad scopes.

{% ifversion fpt or ghec %}1. Verify your email address, if it hasn't been verified yet.{% endif %} {% data reusables.user-settings.access_settings %} {% data reusables.user-settings.developer_settings %}

  1. In the left sidebar, under {% octicon "key" aria-hidden="true" aria-label="key" %} {% data variables.product.pat_generic_caps %}s, click Tokens (classic).

  2. Select Generate new token, then click Generate new token (classic).

  3. In the "Note" field, give your token a descriptive name.

  4. To give your token an expiration, select Expiration, then choose a default option or click Custom to enter a date.

  5. Select the scopes you'd like to grant this token. To use your token to access repositories from the command line, select repo. A token with no assigned scopes can only access public information. For more information, see AUTOTITLE.

  6. Click Generate token.

  7. Optionally, to copy the new token to your clipboard, click {% octicon "copy" aria-label="Copy token" %}.

    {% ifversion ghes %}Screenshot of the "{% data variables.product.pat_generic_caps_plural %}" page. Next to a blurred-out token, an icon of two overlapping squares is outlined in orange.{% else %}Screenshot of the "{% data variables.product.pat_generic_caps_plural %}" page. Next to a blurred-out token, an icon of two overlapping squares is outlined in orange.{% endif %}{% ifversion fpt or ghec %}

  8. To use your token to access resources owned by an organization that uses SAML single sign-on, authorize the token. For more information, see AUTOTITLE{% ifversion fpt %} in the {% data variables.product.prodname_ghe_cloud %} documentation.{% else %}.{% endif %}{% endif %}

Deleting a {% data variables.product.pat_generic %}

You should delete a {% data variables.product.pat_generic %} if it is no longer needed. If you delete a {% data variables.product.pat_generic %} that was used to create a deploy key, the deploy key will also be deleted.

{% data reusables.user-settings.access_settings %} {% data reusables.user-settings.developer_settings %}

  1. In the left sidebar, under {% octicon "key" aria-hidden="true" aria-label="key" %} {% data variables.product.pat_generic_caps %}s, click either Fine-grained tokens or Tokens (classic), depending on which type of {% data variables.product.pat_generic %} you'd like to delete.
  2. To the right of the {% data variables.product.pat_generic %} you want to delete, click Delete.

{% ifversion ghec or fpt %}> [!NOTE] If you find a leaked {% data variables.product.pat_generic %} belonging to someone else, you can submit a revocation request through the REST API. See AUTOTITLE. {% endif %}

Using a {% data variables.product.pat_generic %} on the command line

Once you have a {% data variables.product.pat_generic %}, you can enter it instead of your password when performing Git operations over HTTPS.

For example, to clone a repository on the command line you would enter the following git clone command. You would then be prompted to enter your username and password. When prompted for your password, enter your {% data variables.product.pat_generic %} instead of a password.

$ git clone https://{% data variables.product.product_url %}/USERNAME/REPO.git
Username: YOUR-USERNAME
Password: YOUR-PERSONAL-ACCESS-TOKEN

Although you are required to enter your username along with your {% data variables.product.pat_generic %}, the username is not used to authenticate you. Instead, the {% data variables.product.pat_generic %} is used to authenticate you. If you do not enter a username, you will receive an error message that your credentials are invalid.

{% data variables.product.pat_generic_caps %}s can only be used for HTTPS Git operations. If your repository uses an SSH remote URL, you will need to switch the remote from SSH to HTTPS.

If you are not prompted for your username and password, your credentials may be cached on your computer. You can update your credentials in the Keychain to replace your old password with the token.

Instead of manually entering your {% data variables.product.pat_generic %} for every HTTPS Git operation, you can cache your {% data variables.product.pat_generic %} with a Git client. Git will temporarily store your credentials in memory until an expiry interval has passed. You can also store the token in a plain text file that Git can read before every request. For more information, see AUTOTITLE.

Further reading