Authentication overview

GitHub ReadMe Stats is an open-source tool designed to display dynamic GitHub statistics on README files. While it can retrieve public user data without explicit authentication for basic use cases, implementing a Personal Access Token (PAT) is recommended for consistent performance. The primary reason to authenticate is to mitigate GitHub API rate limits, which can otherwise lead to an unavailability of stats on a README file. GitHub imposes rate limits on unauthenticated requests to its API, typically allowing fewer requests per hour compared to authenticated requests. By providing a PAT, users associate requests with their GitHub account, thereby increasing the effective rate limit and ensuring reliable data retrieval for their stats cards.

The authentication mechanism for GitHub ReadMe Stats leverages GitHub's standard Personal Access Token system. This system is a form of token-based authentication, which is a widely adopted method for securing API access. A PAT functions as an alternative to a password for authenticating to GitHub, enabling applications like GitHub ReadMe Stats to perform actions on behalf of a user. Once generated, the PAT is passed with API requests, usually within an Authorization header, to verify the identity of the requesting entity. For detailed information on how GitHub handles API authentication, refer to the GitHub REST API authentication overview.

Supported authentication methods

GitHub ReadMe Stats primarily supports authentication through GitHub Personal Access Tokens (PATs). This method allows the service to make authenticated requests to the GitHub API on behalf of a user.

The table below outlines the supported authentication method, its typical use cases, and the associated security level.

Method When to Use Security Level
GitHub Personal Access Token (PAT)
  • To bypass GitHub API rate limits for consistent stat display.
  • When self-hosting GitHub ReadMe Stats for higher request volumes.
  • Accessing public repository data associated with your account.

High: If proper scope is applied and token is securely stored (e.g., environment variables, secret management). Allows fine-grained control over permissions.
No Authentication (Unauthenticated)
  • For basic usage displaying public user statistics.
  • When API rate limit issues are not a concern (e.g., low traffic READMEs).

N/A: No direct authentication is involved for the user. Rate limiting is managed by GitHub on a per-IP basis. Data access is limited to publicly available information.

When using a PAT, it acts as a Bearer token. Bearer tokens are a common type of access token used in OAuth 2.0 implementations. They grant the bearer access to protected resources without requiring further authentication. For more context on Bearer token usage in general, the OAuth 2.0 Bearer Token Usage specification provides additional details.

Getting your credentials

To obtain a GitHub Personal Access Token (PAT) for use with GitHub ReadMe Stats, follow these steps:

  1. Navigate to GitHub Developer Settings: Log in to your GitHub account and go to Settings. In the left sidebar, click on "Developer settings".

  2. Select Personal Access Tokens: Under "Developer settings", click on "Personal access tokens", then select "Tokens (classic)".

  3. Generate New Token: Click the "Generate new token" button. You will be prompted to confirm your password.

  4. Configure Token Details:

    • Note: Provide a descriptive name for your token (e.g., github-readme-stats-token).
    • Expiration: Choose an appropriate expiration date. For maximum security, select a short duration and rotate frequently, or "No expiration" for continuous use (with added security risks if compromised).
    • Scopes: This is critical for security. For GitHub ReadMe Stats to retrieve public repository data, the minimal recommended scope is public_repo. If you intend to use it with private repositories, you will need the repo scope. Avoid granting unnecessary scopes to limit potential damage if the token is compromised. For detailed scope descriptions, consult the GitHub OAuth App scopes documentation.

  5. Generate Token: Click the "Generate token" button at the bottom of the page.

  6. Copy Your Token: GitHub will display your new PAT. Copy it immediately, as you will not be able to see it again once you leave the page. Treat this token as you would a password.

Once you have your PAT, you can use it when integrating GitHub ReadMe Stats. For the official project, you typically set it as an environment variable (e.g., TOKEN or GH_TOKEN) when running or deploying a self-hosted instance, or pass it as a parameter if using a custom setup. The GitHub ReadMe Stats deployment documentation provides details on how to use environment variables for your PAT.

Authenticated request example

When using the hosted version of GitHub ReadMe Stats, authentication is typically handled by passing your Personal Access Token (PAT) as a query parameter in the image URL. This is the simplest method for integrating it directly into your GitHub README.

Here's how to construct an authenticated request using a PAT:

<!-- Example of a GitHub ReadMe Stats card with PAT for rate limit bypass -->
<img src="https://github-readme-stats.vercel.app/api?username=YOUR_GITHUB_USERNAME&token=YOUR_PERSONAL_ACCESS_TOKEN" />

Explanation:

  • https://github-readme-stats.vercel.app/api: This is the base URL for the GitHub ReadMe Stats API endpoint.
  • username=YOUR_GITHUB_USERNAME: Replace YOUR_GITHUB_USERNAME with your actual GitHub username. This parameter specifies whose stats to retrieve.
  • token=YOUR_PERSONAL_ACCESS_TOKEN: Replace YOUR_PERSONAL_ACCESS_TOKEN with the PAT you generated. This parameter passes your token to the service, allowing it to make authenticated requests to the GitHub API on your behalf and bypass rate limits.

Important Considerations:

  • Security Warning: Including a PAT directly in a public URL parameter, as shown above, is generally not recommended for sensitive tokens or in environments where the URL might be logged or publicly exposed. While GitHub ReadMe Stats processes the token on its server, this method might expose the token in browser history, server logs, or referrer headers.
  • Self-Hosting for Enhanced Security: For higher security or when dealing with highly sensitive tokens (e.g., those with broader scopes), consider self-hosting GitHub ReadMe Stats. When self-hosting, you can set the PAT as an environment variable (e.g., GH_TOKEN or TOKEN), which prevents it from being exposed in URLs or client-side code. This is the recommended approach for production deployments or when maximum security is required.

This example demonstrates how to use the token to enhance the reliability of your GitHub ReadMe Stats. Always prioritize securing your tokens according to best practices outlined in the next section.

Security best practices

Securing your GitHub Personal Access Token (PAT) is paramount when using GitHub ReadMe Stats, as a compromised token could grant unauthorized access to your GitHub account. Adhere to these best practices:

  1. Principle of Least Privilege: When generating a PAT, grant only the minimum necessary scopes. For public repository stats, the public_repo scope is generally sufficient. Avoid granting broader scopes like repo unless absolutely required for specific functionality involving private repositories. Limiting scopes minimizes the potential damage if a token is compromised.

  2. Set Token Expiration: Always set an expiration date for your PATs. This limits the window of vulnerability if a token is inadvertently exposed. Rotate your tokens regularly by generating a new one and revoking the old one, even if "No expiration" was initially chosen. GitHub provides options for managing personal access tokens, including setting expirations.

  3. Secure Storage and Handling:

    • Avoid Public Exposure: Never hardcode your PAT directly into public code repositories or expose it in client-side code.
    • Environment Variables: For self-hosted instances of GitHub ReadMe Stats, store your PAT in environment variables (e.g., GH_TOKEN). This keeps the token out of your codebase and configuration files.
    • Secret Management Services: For production deployments, integrate with dedicated secret management services like AWS Secrets Manager, Google Cloud Secret Manager, or Azure Key Vault. These services provide secure storage, rotation, and access control for sensitive credentials.
    • Do Not Commit: Ensure your .gitignore file is correctly configured to prevent accidentally committing files containing secrets.

  4. Regular Monitoring and Auditing: Regularly review the activity logs associated with your PATs in GitHub's settings. If you notice any suspicious activity, immediately revoke the token and investigate the cause. Periodically audit the scopes granted to your tokens to ensure they still adhere to the principle of least privilege.

  5. Revoke Compromised Tokens Immediately: If you suspect your PAT has been compromised, revoke it immediately through your GitHub settings. A compromised token can be used to impersonate you and access your repositories or other data up to the scope of the token.

  6. Consider Self-Hosting for Enhanced Control: While the public GitHub ReadMe Stats instance simplifies usage, self-hosting provides greater control over the environment and how your PATs are handled. This can be beneficial for organizations or users with stricter security requirements. The GitHub ReadMe Stats self-hosting guide details deployment options.

By implementing these security measures, you can minimize the risk associated with using Personal Access Tokens while still benefiting from the enhanced functionality and reliability provided by authenticated access to GitHub ReadMe Stats.