About user access tokens that expire
Note: User access tokens that expire are currently an optional feature and are subject to change. For more information, see "Expiring user-to-server access tokens for GitHub Apps."
To enforce regular token rotation and reduce the impact of a compromised token, you can configure your GitHub App to use user access tokens that expire. If your app uses user access tokens that expire, then you will receive a refresh token when you generate a user access token. The user access token expires after eight hours, and the refresh token expires after six months. For more information, see "Generating a user access token for a GitHub App."
You can use the refresh token to generate a new user access token and a new refresh token. Once you use a refresh token, that refresh token and the old user access token will no longer work.
If your refresh token expires before you use it, you can regenerate a user access token and refresh token by sending users through the web application flow or device flow. For more information, see "Generating a user access token for a GitHub App."
Configuring your app to use user access tokens that expire
When you create your app, expiration of user access tokens is enabled unless you opt out. For more information, see "Registering a GitHub App." You can also configure this setting after your app has been created.
-
In the upper-right corner of any page on GitHub, click your profile photo.
-
Navigate to your account settings.
- For an app owned by a personal account, click Settings.
- For an app owned by an organization:
- Click Your organizations.
- To the right of the organization, click Settings.
-
In the left sidebar, click Developer settings.
-
In the left sidebar, click GitHub Apps.
-
Next to the GitHub App that you want to modify, click Edit.
-
In the GitHub Apps settings sidebar, click Optional Features.
-
Next to "User-to-server token expiration", click Opt-in or Opt-out. This setting may take a couple of seconds to apply.
GitHub recommends that you opt in to this feature for improved security.
If you opt into user access tokens that expire after you have already generated user access tokens, the previously generated user access tokens will not expire. You can delete these tokens by using the DELETE /applications/CLIENT_ID/token
endpoint. For more information, see "REST API endpoints for OAuth authorizations."
Refreshing a user access token with a refresh token
-
Make a
POST
request to this URL, along with the following query parameters:http(s)://HOSTNAME/login/oauth/access_token
Query parameter Type Description client_id
string
Required. The client ID for your GitHub App. The client ID is different from the app ID. You can find the client ID on the settings page for your app. client_secret
string
Required unless the user access token was generated using the device flow. The client secret for your GitHub App. grant_type
string
Required. The value must be "refresh_token". refresh_token
string
Required. The refresh token that you received when you generated a user access token. -
GitHub will give a response that includes the following parameters:
Response parameter Type Description access_token
string
The user access token. The token starts with ghu_
.expires_in
integer
The number of seconds until access_token
expires. If you disabled expiration of user access tokens, this parameter will be omitted. The value will always be28800
(8 hours).refresh_token
string
The refresh token. If you disabled expiration of user access tokens, this parameter will be omitted. The token starts with ghr_
.refresh_token_expires_in
integer
The number of seconds until refresh_token
expires. If you disabled expiration of user access tokens, this parameter will be omitted. The value will always be15897600
(6 months).scope
string
The scopes that the token has. This value will always be an empty string. Unlike a traditional OAuth token, the user access token is limited to the permissions that both your app and the user have. token_type
string
The type of token. The value will always be bearer
.