authentication

Subscribe to all “authentication” posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

GitHub recently introduced the ability to set an expiration date when creating or regenerating a personal access token (PAT). For a PAT that is authorized to access an organization protected by SAML single sign-on (SSO), the expiration date of that PAT is now available via the GET /orgs/{org}/credential-authorizations API.

Organization administrators can use the following gh command to see the expiration dates of all PATs that are authorized to access their org by authenticating with a PAT that has the read:org scope:

gh api --paginate /orgs/:org/credential-authorizations --jq='.[] | [.authorized_credential_expires_at]'

Learn more about authorizing a personal access token for use with SAML single sign-on.

See more

GitHub will stop supporting API Authentication via Query Parameters with Actions on October 6th 2021 at 14:00 UTC. If you are passing credentials via query or path parameters, GitHub will respond with client errors. Please refer to this blog post for details on authenticating API requests to GitHub using the Authorization header.

Removal

  • October 6 2021 at 14:00 UTC
See more

As previously announced, on September 8th 2021 at 14:00 UTC, GitHub will stop supporting API Authentication via Query Parameters.

If you are passing credentials via query or path parameters, GitHub will respond with client errors. Please refer to this blog post for details on authenticating API requests to GitHub using the Authorization header.

Removal

  • September 8 2021 at 14:00 UTC

Please check the latest Enterprise release notes to learn in which version API Authentication via Query Parameters will be removed.

See more

As previously announced, starting on August 13, 2021, at 09:00 PST, we will no longer accept account passwords when authenticating Git operations on GitHub.com. Instead, token-based authentication (for example, personal access, OAuth, SSH Key, or GitHub App installation token) will be required for all authenticated Git operations.

Please refer to this blog post for instructions on what you need to do to continue using git operations securely.

Removal

  • August 13, 2021, at 09:00 PST
See more

As previously announced, on August 11 2021 at 14:00 UTC, GitHub will be removing the OAuth Application API to avoid unintentional logging of in-transit access tokens.

Please refer to this blog post on migrating to the replacement endpoints.

Removal

  • August 11 2021 at 14:00 UTC

Please check the latest Enterprise release notes to learn in which version the OAuth Application API will be removed.

See more

As previously communicated, on August 11, 2021 at 14:00 UTC for 48 hours, GitHub will be conducting the third and final scheduled brownout for API Authentication via Query Parameters.

If you are passing credentials via query or path parameters, GitHub will intermittently respond with client errors. Please refer to this blog post for details on authenticating API requests to GitHub using the Authorization header.

Brownouts

  • August 11, 2021: For 48 hours starting at 14:00 UTC

Removal

  • September 8 2021 at 14:00 UTC

Please check the latest Enterprise release notes to learn in which version API Authentication via Query Parameters will be removed.

See more

API requests made by a GitHub App on behalf of a user that has authorized the app are known as user-to-server requests.

The resources that can be accessed by these requests are constrained to the set of private resources that both the App and the authorizing user can access.

GitHub is now extending this access model, allowing user-to-server requests to also read public resources over the REST API. This includes, for example, the ability to list a public repository's issues and pull requests, and to access a public repository's comments and content.

Read more about authorizing GitHub Apps.

See more

You can now set an expiration date on your new and existing personal access tokens.

Setting an expiration date on personal access tokens is highly recommended as this helps keep your information secure. GitHub will send you an email when it's time to renew a token that's about to expire. Tokens that have expired can be regenerated, giving you a duplicate token with the same properties as the original.

When using a personal access token with the GitHub API, you'll see a new response header, GitHub-Authentication-Token-Expiration, indicating the token's expiration date. You can use this in scripts, for example to log a warning message as the expiration date approaches.

Learn more about personal access tokens and how to use them.

See more

As previously communicated, on June 9th, 2021 at 14:00 UTC we will be conducting the second scheduled brownout for API Authentication via Query Parameters and the OAuth Applications API. If you are passing credentials via query or path parameters, we will intermittently respond with client errors.

OAuth Application API

Please refer to this blog post on migrating to the replacement endpoints.

Brownouts

  • June 9, 2021: For 24 hours starting at 14:00 UTC

Removal

  • August 11 2021 at 14:00 UTC

Authentication via Query Parameters

Please refer to this blog post for authentication via headers.

Brownouts

  • June 9, 2021: For 24 hours starting at 14:00 UTC
  • August 11, 2021: For 48 hours starting at 14:00 UTC

Removal

  • September 8 2021 at 14:00 UTC

Please check the latest Enterprise release notes to learn in which version these functionalities will be removed.

See more

As previously communicated, on May 5th, 2021 we will be conducting the first scheduled brownout for API Authentication via Query Parameters and the OAuth Applications API. If you are passing credentials via query or path parameters, we will intermittently respond with client errors.

OAuth Application API

Please refer to this blog post on migrating to the replacement endpoints.

Brownouts

  • May 5, 2021: For 12 hours starting at 14:00 UTC
  • June 9, 2021: For 24 hours starting at 14:00 UTC

Removal

  • August 11 2021 at 14:00 UTC

Authentication via Query Parameters

Please refer to this blog post for authentication via headers.

Brownouts

  • May 5, 2021: For 12 hours starting at 14:00 UTC
  • June 9, 2021: For 24 hours starting at 14:00 UTC
  • August 11, 2021: For 48 hours starting at 14:00 UTC

Removal

  • September 8 2021 at 14:00 UTC

Please check the latest Enterprise release notes to learn in which version these functionalities will be removed.

See more

In February 2020, to strengthen the security of our API, we deprecated API Authentication via Query Parameters and the OAuth Application API to avoid unintentional logging of in-transit access tokens. In the coming months, we'll be removing these endpoints and authentication flow according to the following schedule:

OAuth Application API

Please refer to this blog post on migrating to the replacement endpoints.

Brownouts

  • May 5, 2021: For 12 hours starting at 14:00 UTC
  • June 9, 2021: For 24 hours starting at 14:00 UTC

Removal

  • August 11 2021 at 14:00 UTC

Authentication via Query Parameters

Please refer to this blog post for authentication via headers.

Brownouts

  • May 5, 2021: For 12 hours starting at 14:00 UTC
  • June 9, 2021: For 24 hours starting at 14:00 UTC
  • August 11, 2021: For 48 hours starting at 14:00 UTC

Removal

  • September 8 2021 at 14:00 UTC

Please check the latest Enterprise release notes to learn in which version these functionalities will be removed.

See more

As we announced previously, the format of GitHub authentication tokens has changed. The following token types are affected:

If you use any of these tokens, we encourage you to reset them now. This will give you additional security benefits and allow Secret Scanning to detect the tokens.

Notably, the token formats now include the following updates:

  • The character set changed from [a-f0-9] to [A-Za-z0-9_]
  • The format now includes a prefix for each token type:
    • ghp_ for Personal Access Tokens
    • gho_ for OAuth Access tokens
    • ghu_ for GitHub App user-to-server tokens
    • ghs_ for GitHub App server-to-server tokens
    • ghr_ for GitHub App refresh tokens

The length of our tokens is remaining the same for now. However, GitHub tokens will likely increase in length in future updates, so integrators should plan to support tokens up to 255 characters after June 1, 2021.

See more