Read Anthropic’s case study about Graphite Reviewer

GitHub personal access tokens

Kenny DuMez
Kenny DuMez
Graphite software engineer

GitHub personal access tokens (PATs) are a way for developers to interact with GitHub's platform securely via the command line or the GitHub API. This guide provides an overview of GitHub's personal access tokens, including how to create and use PATs effectively.

A personal access token (PAT) on GitHub is an authentication method that you can use when performing Git operations over HTTPS or when using the GitHub API. PATs are often used instead of passwords to increase security, especially when two-factor authentication (2FA) is enabled, as they can be scoped to limit access and can be easily revoked if compromised.

  1. Create a new token in settings:

    • Sign in to your GitHub account.
    • Navigate to Settings, then to Developer settings.
    • Click on 'Personal access tokens' and then 'Generate new token'.
  2. Set expiration and scopes:

    • Give your token a descriptive name so you can remember its purpose.
    • Set an expiration for the token. You can choose from options like 30 days, 60 days, 90 days, or no expiration (not recommended for security reasons).
    • Select the scopes or permissions you want to grant this token. For example, select 'repo' if you need the token for repository operations.
    • Always follow the principle of least privilege when scoping your token.
  3. Finish creating your token:

    • After configuring your settings and scopes, click ‘Generate token’.
    • Important: Copy your new personal access token. You won’t be able to see it again after you navigate away from the page. This is a security measure to avoid storing your token in plaintext.

For Git operations:

  • When you clone, push to, or pull from a repository over HTTPS, instead of using your password, you will use the PAT. Here's how you can use it to clone a repo:
    Terminal
    git clone https://github.com/username/repo.git
    Username: your-username
    Password: your-personal-access-token

For API requests:

  • You can use the token to authenticate API requests. For example:
    Terminal
    curl -H "Authorization: token YOUR_PERSONAL_ACCESS_TOKEN" https://api.github.com/user/repos

If you need to clone a GitHub repository using a personal access token, replace the password with the token when prompted, or embed the token directly in the URL:

Terminal
git clone https://your-personal-access-token@github.com/username/repo.git

This method embeds the token in the command, making it easier to clone repositories without entering credentials repeatedly.

  • Regularly review and rotate: Regularly review your tokens and regenerate them to minimize risks in case of leaks.
  • Limit scopes: Only assign the minimum necessary scopes to each token to perform specific tasks.
  • Keep tokens confidential: Treat your tokens like passwords. Do not share them in public forums or include them in your code.

For more information on GitHub personal access tokens, see the official GitHub documentation.

On this page
Git inspired
Graphite's CLI and VS Code extension make working with Git effortless.
Learn more

Graphite
Git stacked on GitHub

Stacked pull requests are easier to read, easier to write, and easier to manage.
Teams that stack ship better software, faster.

Or install our CLI.
Product Screenshot 1
Product Screenshot 2