Authentication overview

GitHub provides several methods for authenticating users and applications to its platform. These methods secure access to repositories, APIs, and other services, ensuring that only authorized entities can perform actions like pushing code, managing issues, or interacting with organization settings. The choice of authentication method typically depends on the context: whether it's a human user interacting via a web browser, a command-line Git client, or an automated application making API calls.

For direct user interaction with the web interface, GitHub relies on traditional username/password authentication, often augmented with Two-Factor Authentication (2FA). For programmatic access, such as scripting or integrating with third-party applications, GitHub offers more granular and secure options, including Personal Access Tokens (PATs), SSH keys, and OAuth 2.0. These methods are designed to provide secure, non-interactive authentication without exposing user credentials directly.

Adhering to security best practices, such as using fine-grained tokens and regularly rotating credentials, is crucial for maintaining the integrity and confidentiality of data on GitHub. The platform strongly encourages the use of 2FA for all accounts and provides tools to manage and audit access tokens effectively, contributing to a more secure development environment.

Supported authentication methods

GitHub supports several authentication methods, each suited for different use cases and offering varying levels of security and flexibility. Understanding when to use each method is key to implementing secure and efficient workflows.

Personal Access Tokens (PATs)

Personal Access Tokens are an alternative to using your password for authenticating to GitHub when using the GitHub API or the command line. PATs can be assigned specific scopes, limiting their access to only the necessary resources and actions. GitHub recommends using fine-grained PATs for better security control, allowing developers to define repository and organization permissions more precisely.

SSH Keys

SSH (Secure Shell) keys are primarily used for authenticating Git operations, providing a secure way to connect to GitHub without supplying your username and password every time. An SSH key pair consists of a public key, which you upload to your GitHub account, and a private key, which remains on your local machine. When you connect, GitHub encrypts a challenge with your public key, and your client decrypts it with the private key to prove your identity. This method is highly secure as the private key never leaves your machine.

OAuth 2.0

OAuth 2.0 is an authorization framework that allows third-party applications to obtain limited access to a user's GitHub account without exposing their credentials. It is commonly used by web and mobile applications that need to integrate with GitHub, allowing users to grant specific permissions (e.g., read repository data, create gists) to an application. The application receives an access token in exchange for an authorization code, which it then uses to make API requests on behalf of the user. For a general overview of the OAuth 2.0 framework, refer to the OAuth 2.0 specification.

GitHub Apps

GitHub Apps are a preferred method for building integrations that automate tasks or extend GitHub's functionality. Unlike OAuth Apps, GitHub Apps are first-class actors that can act on their own behalf (not just on behalf of a user). They are installed directly on organizations or repositories and granted specific permissions, making them ideal for continuous integration (CI) tools, bots, and other automated services. Authentication for GitHub Apps involves using a JSON Web Token (JWT) to generate installation access tokens, providing granular control over their capabilities.

Usernames and Passwords (with 2FA)

While generally not recommended for API access due to security risks, traditional username and password authentication, especially when combined with Two-Factor Authentication (2FA), is used for logging into the GitHub web interface. For command-line Git operations over HTTPS, GitHub has deprecated password authentication and now requires Personal Access Tokens (PATs).

The following table summarizes the primary authentication methods:

Method When to Use Security Level
Personal Access Tokens (PATs) API access, Git over HTTPS, scripting, CLI tools High (especially fine-grained PATs with limited scopes)
SSH Keys Git operations over SSH High (private key never leaves local machine)
OAuth 2.0 Third-party applications requesting user authorization High (user grants specific permissions, no password shared)
GitHub Apps Automated integrations, CI/CD, bots acting on their own behalf Very High (granular permissions, JWT-based tokens)
Username & Password (with 2FA) Web interface login Medium to High (2FA significantly improves security)

Getting your credentials

The process for obtaining credentials varies depending on the authentication method you choose:

Personal Access Tokens (PATs)

  1. Navigate to your GitHub account settings.
  2. Go to Developer settings > Personal access tokens.
  3. Select either Tokens (classic) or Fine-grained tokens. GitHub recommends fine-grained tokens for new token creation.
  4. Click Generate new token.
  5. Provide a descriptive name for the token, set an expiration, and select the necessary scopes or permissions. For fine-grained PATs, specify access to particular repositories or organizations.
  6. Click Generate token.
  7. Copy the token immediately. You will not be able to see it again. Store it securely. For detailed instructions, refer to the GitHub documentation on creating a personal access token.

SSH Keys

  1. Generate an SSH key pair: Open a terminal and use ssh-keygen -t ed25519 -C "[email protected]". Follow the prompts to save the key and set an optional passphrase. For a comprehensive guide, see GitHub's SSH key generation instructions.
  2. Add your SSH public key to GitHub: Copy the contents of your public key file (e.g., ~/.ssh/id_ed25519.pub).
  3. In GitHub, go to your account settings > SSH and GPG keys.
  4. Click New SSH key, provide a title, and paste your public key.
  5. Click Add SSH key.
  6. Add your private key to the SSH agent: Ensure your SSH agent is running and add your private key using ssh-add ~/.ssh/id_ed25519.

OAuth Applications

  1. Register your application with GitHub by going to your account settings > Developer settings > OAuth Apps.
  2. Click New OAuth App.
  3. Provide the application name, homepage URL, application description, and crucially, the Authorization callback URL.
  4. Click Register application. GitHub will provide you with a Client ID and a Client Secret. Keep these confidential.
  5. Implement the OAuth 2.0 authorization flow in your application to exchange the Client ID, Client Secret, and an authorization code for an access token.

GitHub Apps

  1. Register a GitHub App by navigating to your account settings > Developer settings > GitHub Apps.
  2. Click New GitHub App.
  3. Configure the app's name, description, homepage URL, callback URL, and critically, the permissions it requires and the events it subscribes to.
  4. Generate a private key for the app. This key is used to sign JWTs for authentication.
  5. Install the app on your organization or repositories.
  6. Your application code will use the private key and app ID to generate JWTs, which are then exchanged for installation access tokens to make API calls.

Authenticated request example

This example demonstrates how to make an authenticated request to the GitHub REST API using a Personal Access Token (PAT) with the curl command-line tool. Replace YOUR_PAT with your actual Personal Access Token.

To list your repositories using a PAT:

curl -L \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer YOUR_PAT" \
  -H "X-GitHub-Api-Version: 2022-11-28" \
  https://api.github.com/user/repos

In this example:

  • -L follows redirects.
  • -H "Accept: application/vnd.github+json" specifies the desired API version and response format.
  • -H "Authorization: Bearer YOUR_PAT" sends your Personal Access Token in the Authorization header using the Bearer token scheme. This is the standard way to pass PATs for API requests.
  • -H "X-GitHub-Api-Version: 2022-11-28" specifies the API version, which is a recommended practice for stability.
  • https://api.github.com/user/repos is the endpoint to retrieve repositories for the authenticated user.

For Git operations over HTTPS, you would use a PAT instead of a password:

git clone https://github.com/OWNER/REPOSITORY.git
Username for 'https://github.com': YOUR_GITHUB_USERNAME
Password for 'https://[email protected]': YOUR_PAT

Alternatively, configuring a credential helper can cache your PAT, preventing repeated prompts.

Security best practices

Securing your GitHub account and integrations requires adherence to several best practices:

Use Fine-Grained Personal Access Tokens

Whenever possible, generate fine-grained Personal Access Tokens. These tokens allow you to specify highly granular permissions, limiting access to specific repositories, organizations, and actions. This significantly reduces the blast radius if a token is compromised.

Limit Token Scopes

When creating PATs, only grant the minimum necessary scopes required for the task. Avoid using tokens with broad permissions like repo or admin:org unless absolutely essential. Review and restrict scopes regularly.

Set Expiration Dates for Tokens

Always set an expiration date for your PATs. Short-lived tokens reduce the risk associated with a compromised token. Rotate tokens before their expiration, or create new ones for temporary tasks.

Enable Two-Factor Authentication (2FA)

Enable Two-Factor Authentication (2FA) for your GitHub account. This adds an extra layer of security, requiring a second verification method (like a code from a mobile app or a security key) in addition to your password or PAT, making it significantly harder for unauthorized users to access your account.

Store Credentials Securely

Never hardcode PATs, SSH private keys, or OAuth client secrets directly into your code. Use secure methods for storage and retrieval:

  • Environment Variables: For scripts and local development.
  • Secret Management Systems: For production environments, integrate with services like AWS Secrets Manager, Azure Key Vault, Google Secret Manager, or HashiCorp Vault. These systems provide encrypted storage and controlled access to sensitive credentials. For example, AWS Secrets Manager helps manage database credentials, API keys, and other secrets.
  • Git Credential Helpers: For Git operations, configure credential helpers to securely store and retrieve credentials, preventing them from being exposed in plain text.

Use SSH Agent Forwarding

When working with SSH keys across multiple remote servers, use SSH agent forwarding instead of copying your private key to each server. This allows you to use your local private key for authentication on remote machines without the key ever leaving your local system.

Regularly Audit Access Logs and Token Usage

Periodically review your GitHub security logs and audit the usage of your PATs, SSH keys, and OAuth applications. This helps identify any suspicious activity or unauthorized access attempts. GitHub provides security logs in your account settings.

Revoke Unused or Compromised Tokens/Keys

Immediately revoke any Personal Access Tokens or SSH keys that are no longer needed, have expired, or are suspected of being compromised. This action minimizes potential security vulnerabilities.

Implement GitHub Apps for Automations

For automated workflows, especially those affecting multiple repositories or organizations, prefer GitHub Apps over PATs. GitHub Apps offer more fine-grained permissions, isolated access, and are designed for machine-to-machine interactions, making them inherently more secure for automation.