Skip to content

Authentication token format updates are generally available

As we announced previously, the format of GitHub authentication tokens has changed. The following token types are affected:

If you use any of these tokens, we encourage you to reset them now. This will give you additional security benefits and allow Secret Scanning to detect the tokens.

Notably, the token formats now include the following updates:

  • The character set changed from [a-f0-9] to [A-Za-z0-9_]
  • The format now includes a prefix for each token type:
    • ghp_ for Personal Access Tokens
    • gho_ for OAuth Access tokens
    • ghu_ for GitHub App user-to-server tokens
    • ghs_ for GitHub App server-to-server tokens
    • ghr_ for GitHub App refresh tokens

The length of our tokens is remaining the same for now. However, GitHub tokens will likely increase in length in future updates, so integrators should plan to support tokens up to 255 characters after June 1, 2021.

Millions of repos use Dependabot to keep their dependencies up to date, either by updating when a Dependabot alert lets them know about a vulnerable dependency (security updates), or on a fixed schedule (version updates). Dependabot security updates have been generally available for over a year, and it's time that version updates join them in general availability.

Dependabot version updates extend the functionality provided by security updates by creating pull requests updating all configured dependencies to their latest versions, staying ahead of potential security vulnerabilities. You can configure it to update selected ecosystems on your schedule, including or excluding desired dependencies.

Thanks to all Dependabot users who have filed issues, provided feedback, and helped us achieve this milestone.

Learn more about Dependabot version updates.

To see what's next for Dependabot, visit the public roadmap.

See more

Dependabot now supports bundler v2 for both security and version updates.

Learn more about Dependabot version updates and security updates.

To see what’s next for Dependabot, visit the public roadmap.

See more