GitHub personal access tokens (PATs) are a way for developers to interact with GitHub's platform securely via the command line or the GitHub API. This guide provides an overview of GitHub's personal access tokens, including how to create and use PATs effectively.
What is a personal access token on GitHub?
A personal access token (PAT) on GitHub is an authentication method that you can use when performing Git operations over HTTPS or when using the GitHub API. PATs are often used instead of passwords to increase security, especially when two-factor authentication (2FA) is enabled, as they can be scoped to limit access and can be easily revoked if compromised.
Creating a GitHub personal access token
Create a new token in settings:
- Sign in to your GitHub account.
- Navigate to Settings, then to Developer settings.
- Click on 'Personal access tokens' and then 'Generate new token'.
Set expiration and scopes:
- Give your token a descriptive name so you can remember its purpose.
- Set an expiration for the token. You can choose from options like 30 days, 60 days, 90 days, or no expiration (not recommended for security reasons).
- Select the scopes or permissions you want to grant this token. For example, select 'repo' if you need the token for repository operations.
- Always follow the principle of least privilege when scoping your token.
Finish creating your token:
- After configuring your settings and scopes, click ‘Generate token’.
- Important: Copy your new personal access token. You won’t be able to see it again after you navigate away from the page. This is a security measure to avoid storing your token in plaintext.
How to use a personal access token on GitHub
For Git operations:
- When you clone, push to, or pull from a repository over HTTPS, instead of using your password, you will use the PAT. Here's how you can use it to clone a repo:Terminalgit clone https://github.com/username/repo.gitUsername: your-usernamePassword: your-personal-access-token
For API requests:
- You can use the token to authenticate API requests. For example:Terminalcurl -H "Authorization: token YOUR_PERSONAL_ACCESS_TOKEN" https://api.github.com/user/repos
Using a personal access token for cloning a repository
If you need to clone a GitHub repository using a personal access token, replace the password with the token when prompted, or embed the token directly in the URL:
git clone https://your-personal-access-token@github.com/username/repo.git
This method embeds the token in the command, making it easier to clone repositories without entering credentials repeatedly.
Best practices for managing personal access tokens
- Regularly review and rotate: Regularly review your tokens and regenerate them to minimize risks in case of leaks.
- Limit scopes: Only assign the minimum necessary scopes to each token to perform specific tasks.
- Keep tokens confidential: Treat your tokens like passwords. Do not share them in public forums or include them in your code.
For more information on GitHub personal access tokens, see the official GitHub documentation.
