Elena' s AI Blog

The Token Way to GitHub Security

08 May 2023 (updated: 03 Jul 2026) / 9 minutes to read

Elena Daehnhardt


Precise version control workflow illustration


TL;DR:
  • Use GitHub personal access tokens instead of passwords: create in Settings > Developer settings, set scopes (repo for full access), use as password when pushing. More secure than passwords.

Previous: Part 21 — The SSH host key mystery

Next: Part 23 — Git Remotes

Authenticating to GitHub with Personal Access Tokens

GitHub is a web-based platform for version control and collaboration that lets developers work together on projects from anywhere. One feature that makes Git authentication both secure and flexible is the personal access token (PAT). In this post, I explain how to create and use personal access tokens, an excellent way to access and update Git repositories over HTTPS.

What Is a GitHub Personal Access Token (PAT)?

A GitHub personal access token (PAT) is a credential that authenticates Git operations and API requests in place of your account password. It is a unique string that grants scoped access to your account, repositories, and other services without exposing your login credentials. You can create a token with specific permissions and revoke it anytime, giving you fine-grained control over your account’s security.

I like using personal access tokens instead of passwords when authenticating to GitHub in the command line or with the API. You can pull and push, do commits and do any repository manipulations you need with the personal access tokens expressly set up for your application and required level of access.

How to Create a GitHub Personal Access Token

To have a simple setup, I have my remote repository named “origin”, wherein I push my code updates. This is a traditional setup; however, you can call it as you like. I stick with the “origin”.

Please note that should you already have the “origin” defined in your Git client, you might first delete the “origin”. Alternatively, you skip this step and define another alias for your remote repository.

git remote remove origin

If git remote add origin later returns error: remote origin already exists, the alias is still defined. Remove it first with git remote remove origin, then re-add it. See my dedicated post Git: “origin already exists” and how to manage remotes for the full fix.

To create a personal access token, go to the GitHub website and log in to your account.

Next, we go to the GitHub developer settings page, which is available just below your user icon in the dropdown menu “Settings”. Follow to the left panel to see “Developer Settings” and “Personal access tokens”.

The little street, Jasper.ai

GitHub Developer Settings under your profile icon

At the moment, you have two options there:

  1. Fine-grained tokens (Beta) help generate API tokens for scripts and tests.
  2. Tokens (classic) can be helpful to access the GitHub API.

I use the classic tokens to access GitHub over HTTPS since I don’t like typing in my credentials while doing my commits and little updates.

The little street, Jasper.ai

GitHub Developer Settings, personal access tokens

I usually give a descriptive name for my token, but you can also provide a description that is misleading to potential mischief :)

When creating a new classic access token, you must define access scopes. You need to decide what you want to do with your access token, such as private repositories management, update action workflows, manage your codespaces and many other permissions that explained in the GitHub docs section “Scopes for OAuth Apps”

It is also essential to define your access token’s expiration time to protect its security.

When we click on the “Generate token” button at the bottom of the page, our new token will be displayed on the screen, so make sure to copy it and store it securely, as it won’t be shown again. You will need it soon.

Next, you go to your local directory with the repository and add your access token with the origin alias into the URL as follows:

git remote add origin https://[token]@github.com/[username]/[repository]

How to Use a Personal Access Token to Push to GitHub

Once you have your personal token, you can access your GitHub account and repositories through different tools and applications. For example, you can use it to authenticate with the GitHub API, or you can use it as a password when you push code to a repository.

git push origin master

To use your token, you must replace your password with it. When prompted for a password, use the token instead. I like this workflow because I like using complicated passwords and am too lazy to type them in :) With the personal tokens, I don’t have to worry about memorising my passwords and security.

Fixing “remote: Support for password authentication was removed”

If git push returns remote: Support for password authentication was removed on August 13, 2021 followed by fatal: Authentication failed, GitHub rejected your account password because password authentication over HTTPS is no longer supported. The fix is to authenticate with a personal access token instead: when prompted for a password, paste the PAT, or update the remote URL to embed it:

git remote set-url origin https://[token]@github.com/[username]/[repository]
git push origin master

GitHub Personal Access Token FAQ

What scopes should I select for a classic GitHub personal access token?

For full read/write access to your repositories, select the repo scope. Add workflow only if you need to update GitHub Actions workflow files, and read:packages/write:packages for the GitHub Packages registry. Grant the narrowest set of scopes the task requires.

Does a GitHub personal access token expire?

Yes. When you create a classic token you set an expiration date (7, 30, 60, 90 days, a custom date, or no expiration). Setting an expiration is recommended so a leaked token stops working automatically.

How do I use a personal access token instead of a password when pushing?

When Git prompts for a password during git push over HTTPS, paste the token instead of your account password. Alternatively, embed it in the remote URL: https://[token]@github.com/[username]/[repository].

How do I revoke a GitHub personal access token?

Go to Settings > Developer settings > Personal access tokens, open the token, and click Delete. Revoking a token immediately invalidates it for all Git operations and API calls.

Conclusion: Personal Access Tokens for Secure GitHub Authentication

In short, we have created a GitHub personal access token and used it to update the remote repository with new commits. A personal access token is a scoped, revocable credential that replaces your password for Git over HTTPS and the GitHub API. Personal access tokens are easy to set up, and you can revoke them anytime, making them a flexible way to control your account’s security. Using them can save you time and make your development process more secure.

I update this article periodically with new ideas, so click here and save this blog post to your favourite Pinterest board. Pinning it will ensure you can refer to this detailed article later.

Did you like this post? Please let me know if you have any comments or suggestions.

Git posts that might be interesting for you




Disclaimer: I have used chatGPT while preparing this post, and this is why I have listed chatGPT in my references section. However, most of the text is rewritten by me, as a human, and spell-checked with Grammarly.

References

1. Creating a personal access token

2. Authenticating with a personal access token

3. GitHub, Scopes for OAuth Apps

4. New Chat (chatGPT by OpenAI)

desktop bg dark

About Elena

Elena, a PhD in Computer Science, simplifies AI concepts and helps you use machine learning.

Citation
Elena Daehnhardt. (2023) 'The Token Way to GitHub Security', daehnhardt.com, 08 May 2023. Available at: https://daehnhardt.com/blog/2023/05/08/git-using-access-tokens/
All Posts