Authenticating to GitHub with Personal Access Tokens
GitHub is a web-based platform for version control and collaboration that lets developers work together on projects from anywhere. One feature that makes Git authentication both secure and flexible is the personal access token (PAT). In this post, I explain how to create and use personal access tokens, an excellent way to access and update Git repositories over HTTPS.
What Is a GitHub Personal Access Token (PAT)?
A GitHub personal access token (PAT) is a credential that authenticates Git operations and API requests in place of your account password. It is a unique string that grants scoped access to your account, repositories, and other services without exposing your login credentials. You can create a token with specific permissions and revoke it anytime, giving you fine-grained control over your account’s security.
I like using personal access tokens instead of passwords when authenticating to GitHub in the command line or with the API. You can pull and push, do commits and do any repository manipulations you need with the personal access tokens expressly set up for your application and required level of access.
How to Create a GitHub Personal Access Token
To have a simple setup, I have my remote repository named “origin”, wherein I push my code updates. This is a traditional setup; however, you can call it as you like. I stick with the “origin”.
Please note that should you already have the “origin” defined in your Git client, you might first delete the “origin”. Alternatively, you skip this step and define another alias for your remote repository.
git remote remove origin
If git remote add origin later returns error: remote origin already exists, the alias is still defined. Remove it first with git remote remove origin, then re-add it. See my dedicated post Git: “origin already exists” and how to manage remotes for the full fix.
To create a personal access token, go to the GitHub website and log in to your account.
Next, we go to the GitHub developer settings page, which is available just below your user icon in the dropdown menu “Settings”. Follow to the left panel to see “Developer Settings” and “Personal access tokens”.
GitHub Developer Settings under your profile icon
At the moment, you have two options there:
- Fine-grained tokens (Beta) help generate API tokens for scripts and tests.
- Tokens (classic) can be helpful to access the GitHub API.
I use the classic tokens to access GitHub over HTTPS since I don’t like typing in my credentials while doing my commits and little updates.
GitHub Developer Settings, personal access tokens
I usually give a descriptive name for my token, but you can also provide a description that is misleading to potential mischief :)
When creating a new classic access token, you must define access scopes. You need to decide what you want to do with your access token, such as private repositories management, update action workflows, manage your codespaces and many other permissions that explained in the GitHub docs section “Scopes for OAuth Apps”
It is also essential to define your access token’s expiration time to protect its security.
When we click on the “Generate token” button at the bottom of the page, our new token will be displayed on the screen, so make sure to copy it and store it securely, as it won’t be shown again. You will need it soon.
Next, you go to your local directory with the repository and add your access token with the origin alias into the URL as follows:
git remote add origin https://[token]@github.com/[username]/[repository]
How to Use a Personal Access Token to Push to GitHub
Once you have your personal token, you can access your GitHub account and repositories through different tools and applications. For example, you can use it to authenticate with the GitHub API, or you can use it as a password when you push code to a repository.
git push origin master
To use your token, you must replace your password with it. When prompted for a password, use the token instead. I like this workflow because I like using complicated passwords and am too lazy to type them in :) With the personal tokens, I don’t have to worry about memorising my passwords and security.
Fixing “remote: Support for password authentication was removed”
If git push returns remote: Support for password authentication was removed on August 13, 2021 followed by fatal: Authentication failed, GitHub rejected your account password because password authentication over HTTPS is no longer supported. The fix is to authenticate with a personal access token instead: when prompted for a password, paste the PAT, or update the remote URL to embed it:
git remote set-url origin https://[token]@github.com/[username]/[repository]
git push origin master
GitHub Personal Access Token FAQ
What scopes should I select for a classic GitHub personal access token?
For full read/write access to your repositories, select the repo scope. Add workflow only if you need to update GitHub Actions workflow files, and read:packages/write:packages for the GitHub Packages registry. Grant the narrowest set of scopes the task requires.
Does a GitHub personal access token expire?
Yes. When you create a classic token you set an expiration date (7, 30, 60, 90 days, a custom date, or no expiration). Setting an expiration is recommended so a leaked token stops working automatically.
How do I use a personal access token instead of a password when pushing?
When Git prompts for a password during git push over HTTPS, paste the token instead of your account password. Alternatively, embed it in the remote URL: https://[token]@github.com/[username]/[repository].
How do I revoke a GitHub personal access token?
Go to Settings > Developer settings > Personal access tokens, open the token, and click Delete. Revoking a token immediately invalidates it for all Git operations and API calls.
Conclusion: Personal Access Tokens for Secure GitHub Authentication
In short, we have created a GitHub personal access token and used it to update the remote repository with new commits. A personal access token is a scoped, revocable credential that replaces your password for Git over HTTPS and the GitHub API. Personal access tokens are easy to set up, and you can revoke them anytime, making them a flexible way to control your account’s security. Using them can save you time and make your development process more secure.
Did you like this post? Please let me know if you have any comments or suggestions.
Git posts that might be interesting for youReferences
1. Creating a personal access token
2. Authenticating with a personal access token
Enjoyed this? Get more like it.
Weekly notes on AI tools, Python, and what I'm actually building — plus a free copy of Fantastic AI: The 2026 Toolkit.