As previously announced, starting on August 13, 2021, at 09:00 PST, we will no longer accept account passwords when authenticating Git operations on GitHub.com. Instead, token-based authentication (for example, personal access, OAuth, SSH Key, or GitHub App installation token) will be required for all authenticated Git operations.
Please refer to this blog post for instructions on what you need to do to continue using git operations securely.
As previously announced, on August 11 2021 at 14:00 UTC, GitHub will be removing the OAuth Application API to avoid unintentional logging of in-transit access tokens.
Please refer to this blog post on migrating to the replacement endpoints.
Please check the latest Enterprise release notes to learn in which version the OAuth Application API will be removed.
As previously communicated, on August 11, 2021 at 14:00 UTC for 48 hours, GitHub will be conducting the third and final scheduled brownout for API Authentication via Query Parameters.
If you are passing credentials via query or path parameters, GitHub will intermittently respond with client errors. Please refer to this blog post for details on authenticating API requests to GitHub using the Authorization header.
Please check the latest Enterprise release notes to learn in which version API Authentication via Query Parameters will be removed.
API requests made by a GitHub App on behalf of a user that has authorized the app are known as user-to-server requests.
The resources that can be accessed by these requests are constrained to the set of private resources that both the App and the authorizing user can access.
GitHub is now extending this access model, allowing user-to-server requests to also read public resources over the REST API. This includes, for example, the ability to list a public repository's issues and pull requests, and to access a public repository's comments and content.
Read more about authorizing GitHub Apps.
You can now set an expiration date on your new and existing personal access tokens.
Setting an expiration date on personal access tokens is highly recommended as this helps keep your information secure. GitHub will send you an email when it's time to renew a token that's about to expire. Tokens that have expired can be regenerated, giving you a duplicate token with the same properties as the original.
When using a personal access token with the GitHub API, you'll see a new response header, GitHub-Authentication-Token-Expiration, indicating the token's expiration date. You can use this in scripts, for example to log a warning message as the expiration date approaches.
Learn more about personal access tokens and how to use them.
As previously communicated, on June 9th, 2021 at 14:00 UTC we will be conducting the second scheduled brownout for API Authentication via Query Parameters and the OAuth Applications API. If you are passing credentials via query or path parameters, we will intermittently respond with client errors.
Please refer to this blog post on migrating to the replacement endpoints.
Please refer to this blog post for authentication via headers.
Please check the latest Enterprise release notes to learn in which version these functionalities will be removed.
You can now authenticate to SSH using a FIDO2 security key by adding a sk-ecdsa-sha2-nistp256@openssh.com or sk-ssh-ed25519@openssh.com SSH key to your account. SSH security keys store secret key material on a separate hardware device that requires verification, such as a tap, to operate.
This combination of storing the key on separate hardware and requiring physical interaction for your SSH key offers additional security. Since the key is stored on hardware and is non-extractable, it can't be read or stolen by software running on the computer. Additionally, the tap prevents unauthorized use of the key since the security key will not operate until you physically interact with it.
Learn more about this feature from the accompanying blog post.
As previously communicated, on May 5th, 2021 we will be conducting the first scheduled brownout for API Authentication via Query Parameters and the OAuth Applications API. If you are passing credentials via query or path parameters, we will intermittently respond with client errors.
Please refer to this blog post on migrating to the replacement endpoints.
Please refer to this blog post for authentication via headers.
Please check the latest Enterprise release notes to learn in which version these functionalities will be removed.
In February 2020, to strengthen the security of our API, we deprecated API Authentication via Query Parameters and the OAuth Application API to avoid unintentional logging of in-transit access tokens. In the coming months, we'll be removing these endpoints and authentication flow according to the following schedule:
Please refer to this blog post on migrating to the replacement endpoints.
Please refer to this blog post for authentication via headers.
Please check the latest Enterprise release notes to learn in which version these functionalities will be removed.
As we announced previously, the format of GitHub authentication tokens has changed. The following token types are affected:
If you use any of these tokens, we encourage you to reset them now. This will give you additional security benefits and allow Secret Scanning to detect the tokens.
Notably, the token formats now include the following updates:
[a-f0-9] to [A-Za-z0-9_]ghp_ for Personal Access Tokensgho_ for OAuth Access tokensghu_ for GitHub App user-to-server tokensghs_ for GitHub App server-to-server tokensghr_ for GitHub App refresh tokensThe length of our tokens is remaining the same for now. However, GitHub tokens will likely increase in length in future updates, so integrators should plan to support tokens up to 255 characters after June 1, 2021.