Frecuentemente publicamos actualizaciones de nuestra documentación. Es posible que la traducción de esta página esté en curso. Para conocer la información más actual, visita la documentación en inglés. Si existe un problema con las traducciones en esta página, por favor infórmanos.
GitHub AE is currently under limited release. Please contact our Sales Team to find out more.

Refreshing user-to-server access tokens

To enforce regular token rotation and reduce the impact of a compromised token, you can configure your App GitHub to use expiring user access tokens.

En este artículo

Note: Expiring user tokens are currently an optional feature and subject to change. To opt in or out of the user-to-server token expiration feature, see "Activating optional features for apps." For more information, see "Expiring user-to-server access tokens for GitHub Apps."

About expiring user access tokens

To enforce regular token rotation and reduce the impact of a compromised token, you can configure your App GitHub to use expiring user access tokens. For more information on making user-to-server requests, see "Identifying and authorizing users for GitHub Apps."

Expiring user tokens expire after 8 hours. When you receive a new user-to-server access token, the response will also contain a refresh token, which can be exchanged for a new user token and refresh token. Refresh tokens are valid for 6 months.

Renewing a user token with a refresh token

To renew an expiring user-to-server access token, you can exchange the refresh_token for a new access token and refresh_token.

POST https://github.com/login/oauth/access_token

This callback request will send you a new access token and a new refresh token. This callback request is similar to the OAuth request you would use to exchange a temporary code for an access token. For more information, see "Identifying and authorizing users for GitHub Apps" and "Basics of authentication."

Parameters

NameTypeDescription
refresh_tokenstringRequired. The token generated when the App GitHub owner enables expiring tokens and issues a new user access token.
grant_typestringRequired. Value must be refresh_token (required by the OAuth specification).
client_idstringRequired. The client ID for your App GitHub.
client_secretstringRequired. The client secret for your App GitHub.

Response

{
  "access_token": "e72e16c7e42f292c6912e7710c838347ae178b4a",
  "expires_in": "28800",
  "refresh_token": "r1.c1b4a2e77838347a7e420ce178f2e7c6912e169246c34e1ccbf66c46812d16d5b1a9dc86a149873c",
  "refresh_token_expires_in": "15811200",
  "scope": "",
  "token_type": "bearer"
}

Configuring expiring user tokens for an existing GitHub App

You can enable or disable expiring user-to-server authorization tokens from your App GitHub settings.

  1. En la esquina superior derecha de cualquier página, da clic en tu foto de perfil y después da clic en Configuración.
    Icono Settings (Parámetros) en la barra de usuario
  2. En la barra lateral izquierda, haz clic en Developer settings (Parámetros del desarrollador).
    Sección Developer settings (Parámetros del programador)
  3. En la barra lateral izquierda, da clic en GitHub Apps.
    Sección GitHub Apps
  4. Click Edit next to your chosen App GitHub.
    Settings to edit a GitHub App
  5. In the left sidebar, click Optional Features.
    Optional features tab
  6. Next to "User-to-server token expiration", click Opt-in or Opt-out. This setting may take a couple of seconds to apply.

Opting out of expiring tokens for new GitHub Apps

When you create a new App GitHub, by default your app will use expiring user-to-server access tokens.

If you want your app to use non-expiring user-to-server access tokens, you can deselect "Expire user authorization tokens" on the app settings page.

Option to opt-in to expiring user tokens during GitHub Apps setup

Existing App GitHubs using user-to-server authorization tokens are only affected by this new flow when the app owner enables expiring user tokens for their app.

Enabling expiring user tokens for existing App GitHubs requires sending users through the OAuth flow to re-issue new user tokens that will expire in 8 hours and making a request with the refresh token to get a new access token and refresh token. For more information, see "Identifying and authorizing users for GitHub Apps."

¿Te ayudó este documento?

Privacy policy

Help us make these docs great!

All GitHub docs are open source. See something that's wrong or unclear? Submit a pull request.

Make a contribution

O, learn how to contribute.