Skip to main content

Creating a personal access token

You can create a personal access token to use in place of a password with the command line or with the API.

Warning: Treat your access tokens like passwords.

To access GitHub from the command line, consider using GitHub CLI or Git Credential Manager instead of creating a personal access token.

When using a personal access token in a script, consider storing your token as a secret and running your script through GitHub Actions. For more information, see "Encrypted secrets." You can also store your token as a Codespaces secret and run your script in Codespaces. For more information, see "Managing encrypted secrets for your codespaces."

If these options are not possible, consider using another service such as the 1Password CLI to store your token securely.

About personal access tokens

Personal access token are an alternative to using passwords for authentication to GitHub Enterprise Cloud when using the GitHub API or the command line. Personal access tokens are intended to access GitHub resources on behalf of yourself. To access resources on behalf of an organization, or for long-lived integrations, you should use a GitHub App. For more information, see "About apps."

GitHub currently supports two types of personal access tokens: fine-grained personal access tokens and personal access tokens (classic). GitHub recommends that you use fine-grained personal access tokens instead of personal access tokens (classic) whenever possible. Fine-grained personal access tokens have several security advantages over personal access tokens (classic):

  • Each token can only access resources owned by a single user or organization.
  • Each token can only access specific repositories.
  • Each token is granted specific permissions, which offer more control than the scopes granted to personal access tokens (classic).
  • Each token must have an expiration date.
  • Organization owners can require approval for any fine-grained personal access tokens that can access resources in the organization.
  • Enterprise owners can require approval for any fine-grained personal access tokens that can access resources in organizations owned by the enterprise.

Additionally, organization owners can restrict the access of personal access token (classic) to their organization, and enterprise owners can restrict the access of personal access token (classic) to the enterprise or organizations owned by the enterprise.

注意:目前,某些功能仅适用于 personal access tokens (classic):

  • 只有 personal access tokens (classic) 对不由你或你所属的组织拥有的公共存储库具有写入访问权限。
  • 只有 personal access tokens (classic) 对企业拥有的内部存储库自动具有写入访问权限。 Fine-grained personal access token 必须授予对内部存储库的访问权限。
  • 外部协作者只能使用 personal access tokens (classic) 访问他们参与协作处理的组织存储库。
  • 只有 personal access tokens (classic) 才能访问企业。 (Fine-grained personal access token可以访问企业拥有的组织。)
  • 以下 API 仅支持 personal access tokens (classic)。 有关 fine-grained personal access token 支持的 REST API 操作列表,请参阅“可用于 fine-grained personal access token 的终结点”。
    • GraphQL API
    • 适用于企业管理员的 REST API
    • 用于管理源导入的 REST API
    • 用于管理 Projects (classic) 的 REST API
    • 用于管理 GitHub Packages 的 REST API
    • 用于管理通知的 REST API
    • 用于传输存储库的 REST API
    • 用于从模板创建存储库的 REST API
    • 用于为已通过身份验证的用户创建存储库的 REST API

As a security precaution, GitHub automatically removes personal access tokens that haven't been used in a year. To provide additional security, we highly recommend adding an expiration to your personal access tokens.

Creating a fine-grained personal access token

Note: Fine-grained personal access token 目前处于 beta 状态,且可能会更改。 若要留下反馈,请参阅反馈讨论

  1. Verify your email address, if it hasn't been verified yet.

  2. 在任何页面的右上角,单击个人资料照片,然后单击“设置”。

    用户栏中的 Settings 图标

  3. In the left sidebar, click Developer settings.

  4. In the left sidebar, under Personal access tokens, click Fine-grained tokens.

  5. Click Generate new token.

  6. Optionally, under Token name, enter a name for the token.

  7. Under Expiration, select an expiration for the token.

  8. Optionally, under Description, add a note to describe the purpose of the token.

  9. Under Resource owner, select a resource owner. The token will only be able to access resources owned by the selected resource owner. Organizations that you are a member of will not appear unless the organization opted in to fine-grained personal access tokens. For more information, see "Setting a personal access token policy for your organization." You may be required to perform SAML single sign-on (SSO) if the selected organization requires it and you do not already have an active SAML session.

  10. Optionally, if the resource owner is an organization that requires approval for fine-grained personal access tokens, below the resource owner, in the box, enter a justification for the request.

  11. Under Repository access, select which repositories you want the token to access. You should choose the minimal repository access that meets your needs. Tokens always include read-only access to all public repositories on GitHub.

  12. If you selected Only select repositories in the previous step, under the Selected repositories dropdown, select the repositories that you want the token to access.

  13. Under Permissions, select which permissions to grant the token. Depending on which resource owner and which repository access you specified, there are repository, organization, and account permissions. You should choose the minimal permissions necessary for your needs. For more information about what permissions are required for each REST API operation, see "Permissions required for fine-grained personal access tokens."

  14. Click Generate token.

If you selected an organization as the resource owner and the organization requires approval for fine-grained personal access tokens, then your token will be marked as pending until it is reviewed by an organization administrator. Your token will only be able to read public resources until it is approved. If you are an owner of the organization, your request is automatically approved. For more information, see "Reviewing and revoking personal access tokens in your organization".

Creating a personal access token (classic)

Note: Organization owners can restrict the access of personal access token (classic) to their organization. If you try to use a personal access token (classic) to access resources in an organization that has disabled personal access token (classic) access, your request will fail with a 403 response. Instead, you must use a GitHub App, OAuth App, or fine-grained personal access token.

Note: Your personal access token (classic) can access every repository that you can access. GitHub recommends that you use fine-grained personal access tokens instead, which you can restrict to specific repositories. Fine-grained personal access tokens also enable you to specify fine-grained permissions instead of broad scopes.

  1. Verify your email address, if it hasn't been verified yet.

  2. 在任何页面的右上角,单击个人资料照片,然后单击“设置”。

    用户栏中的 Settings 图标

  3. In the left sidebar, click Developer settings.

  4. In the left sidebar, under Personal access tokens, click Tokens (classic).

  5. Select Generate new token, then click Generate new token (classic).

  6. Give your token a descriptive name. Token description field

  7. To give your token an expiration, select the Expiration drop-down menu, then click a default or use the calendar picker. Token expiration field

  8. Select the scopes you'd like to grant this token. To use your token to access repositories from the command line, select repo. A token with no assigned scopes can only access public information. For more information, see "Available scopes".

    Selecting token scopes

  9. Click Generate token. Generate token button

    Newly created token

  10. To use your token to access resources owned by an organization that uses SAML single sign-on, authorize the token. For more information, see "Authorizing a personal access token for use with SAML single sign-on."

Using a token on the command line

如果您有令牌,则可以在通过 HTTPS 执行 Git 操作时输入令牌,而不是密码。

例如,在命令行中输入以下内容:

$ git clone https://github.com/username/repo.git
Username: your_username
Password: your_token

Personal access tokens can only be used for HTTPS Git operations. If your repository uses an SSH remote URL, you will need to switch the remote from SSH to HTTPS.

If you are not prompted for your username and password, your credentials may be cached on your computer. You can update your credentials in the Keychain to replace your old password with the token.

Instead of manually entering your personal access token for every HTTPS Git operation, you can cache your personal access token with a Git client. Git will temporarily store your credentials in memory until an expiry interval has passed. You can also store the token in a plain text file that Git can read before every request. For more information, see "Caching your GitHub credentials in Git."

Further reading