Skip to main content



While the API provides multiple methods for authentication, we strongly recommend using OAuth for production applications. The other methods provided are intended to be used for scripts or testing (i.e., cases where full OAuth would be overkill). Third party applications that rely on GitHub Enterprise Cloud for authentication should not ask for or collect GitHub Enterprise Cloud credentials. Instead, they should use the OAuth web flow.

Basic Authentication

The API supports Basic Authentication as defined in RFC2617 with a few slight differences. The main difference is that the RFC requires unauthenticated requests to be answered with 401 Unauthorized responses. In many places, this would disclose the existence of user data. Instead, the GitHub API responds with 404 Not Found. This may cause problems for HTTP libraries that assume a 401 Unauthorized response. The solution is to manually craft the Authorization header.

Via personal access tokens

We recommend you use fine-grained personal access tokens to authenticate to the GitHub API.


This approach is useful if your tools only support Basic Authentication but you want to take advantage of personal access token security features.

Via username and password

Note: GitHub has discontinued password authentication to the API starting on November 13, 2020 for all accounts, including those on a GitHub Free, GitHub Pro, GitHub Team, or GitHub Enterprise Cloud plan. You must now authenticate to the GitHub API with an API token, such as an OAuth access token, GitHub App installation access token, or personal access token, depending on what you need to do with the token. For more information, see "Troubleshooting."

Authenticating for SAML SSO

Note: Integrations and OAuth applications that generate tokens on behalf of others are automatically authorized.

Note: In most cases, you can use Authorization: Bearer or Authorization: token to pass a token. However, if you are passing a JSON web token (JWT), you must use Authorization: Bearer.

If you're using the API to access an organization that enforces SAML SSO for authentication, you'll need to create a personal access token and authorize the token for that organization. Visit the URL specified in X-GitHub-SSO to authorize the token for the organization.

The generated URL is valid for one hour, and then expires. After one hour, you will need to generate another URL.

$ curl -v -H "Authorization: Bearer TOKEN"

> X-GitHub-SSO: required; url=
  "message": "Resource protected by organization SAML enforcement. You must grant your personal token access to this organization.",
  "documentation_url": ""

When requesting data that could come from multiple organizations (for example, requesting a list of issues created by the user), the X-GitHub-SSO header indicates which organizations require you to authorize your personal access token:

$ curl -v -H "Authorization: Bearer TOKEN"

> X-GitHub-SSO: partial-results; organizations=21955855,20582480

The value organizations is a comma-separated list of organization IDs for organizations require authorization of your personal access token.

Working with two-factor authentication

When you have two-factor authentication enabled, Basic Authentication for most endpoints in the REST API requires that you use a personal access token.

You can generate a new personal access token using GitHub Enterprise Cloud developer settings. For more information, see "Creating a personal access token for the command line". Then you would use these tokens to authenticate using OAuth token with the GitHub API.