Creating Personal Access Tokens
Personal access tokens (PATs) serve as an alternative to passwords when authenticating with GitHub through the command line or API.
Note: If you authenticate to GitHub using the GitHub CLI, you can skip generating a PAT and authenticate through your web browser instead.
PATs can be used with the GitHub API or command line to authenticate instead of a password. When accessing resources owned by organizations that use SAML SSO, PATs must be authorized specifically for that purpose.
As a security measure, GitHub automatically deletes personal access tokens that haven't been used for one year. For additional security, it's strongly recommended to set an expiration date when creating your token.
Tokens without scopes can only access public information. To access repositories from the command line, select the repo scope.
Creating a Token
- Verify your email address if it hasn't been verified yet.
- In the upper-right corner of any page, click your profile photo, then click Settings.
- In the left sidebar, click Developer settings.
- In the left sidebar, click Personal access tokens, then click Tokens (classic).
- Click Generate new token, then click Generate new token (classic).
- Give the token a descriptive name. To set an expiration, select the Expiration dropdown and choose a date.
- Select the scopes or permissions you want to grant this token. To access repositories from the command line, select the
reposcope. - Click Generate token.
Security Warning
Treat your token like a password and keep it confidential. When using the API, store the token as an environment variable rather than hardcoding it into your programs.
Using the Token on the Command Line
Once you have a token, you can enter it as your password when performing Git operations over HTTPS.
For example, enter the following on the command line:
git clone https://github.com/developer/project.git
Username: your_username
Password: ghp_xxxxxxxxxxxxxxxxxxxx
Personal access tokens only work with HTTPS Git operations. If your repository uses an SSH remote URL, you'll need to switch from SSH to HTTPS.
If you're not prompted for a username and password, your credentials may be cached on your machine. You can update your credentials in the keychain, replacing your old password with the token.
You can use the Git client to cache your PAT instead of manually entering it for every HTTPS Git operation. Git temporarily stores your credentials in memory until they expire.
You can remove cached credentials at any time using the following commands:
git config --global --unset credential.helper
git config --system --unset credential.helper
Note: The --global flag applies to user-level settings, while --system applies to system-level settings. Choose based on you're specific needs.