Deprecating OAuth Application API

As mentioned in this previous blog post, GitHub has deprecated the OAuth application endpoints and have replaced them with a version that moves the access token in the request body for security.

Deprecation timeline

Brownouts

During a brownout, calls to the old version of OAuth application endpoints will temporarily fail to alert users who haven't migrated their authentication calls.

The brownouts are scheduled for:

  • May 15, 2020

    • From 7:00 AM UTC - 10:00 AM UTC
    • From 4:00 PM UTC - 7:00 PM UTC
  • June 12, 2020

    • From 7:00 AM UTC - 10:00 AM UTC
    • From 4:00 PM UTC - 7:00 PM UTC

Removal date

All calls to the old version of the OAuth application endpoints will return a status code of 404 starting on:

  • July 1, 2020 at 4:00 PM UTC

Changes to make

Using calls to OAuth Application API

If you're using the version of the OAuth Application API that includes :access_token in the path like:

curl -u my_client_id:my_client_secret -X POST "https://api.github.com/applications/123/tokens/my_access_token"

Instead, you'll need to call the new version that moves :access_token in the request body:

curl -u my_client_id:my_client_secret -X PATCH "https://api.github.com/applications/123/token -d {"access_token": "my_access_token"}"

See the list of OAuth application endpoints below that you'll need to replace with the new endpoints.

Endpoints affected

The following list of OAuth Application endpoints are deprecated and should be replaced with the new corresponding endpoints.

Deprecated Endpoint Deprecated Path New Endpoint New Path
Check an authorization GET /applications/:client_id/tokens/:access_token Check a token POST /applications/:client_id/token
Reset an authorization POST /applications/:client_id/tokens/:access_token Reset a token PATCH /applications/:client_id/token
Revoke app authorization DELETE /applications/:client_id/tokens/:access_token Delete app token DELETE /applications/:client_id/token
Revoke app grant DELETE /applications/:client_id/grants/:access_token Delete app authorization DELETE /applications/:client_id/grant

If you have any questions or feedback, please let us know!

Deprecating OAuth Authorization API

As mentioned in this previous blog post, GitHub has deprecated the OAuth authorization endpoints and recommends that integrators switch to the web application flow to generate access tokens.

Since the OAuth Authorization API requires password authentication, this API will not work once password authentication has been deprecated.

Deprecation timeline

Removal date

All calls to the OAuth authorization endpoints will return a status code of 404 starting on:

  • November 13, 2020 at 4:00 PM UTC

Brownouts

During a brownout, calls to the old version of the OAuth Authorization API will temporarily fail to alert users who haven't migrated their authentication calls.

The brownouts are scheduled for:

  • September 30, 2020

    • From 7:00 AM UTC - 10:00 AM UTC
    • From 4:00 PM UTC - 7:00 PM UTC
  • October 28, 2020

    • From 7:00 AM UTC - 10:00 AM UTC
    • From 4:00 PM UTC - 7:00 PM UTC

Changes to make

Calls to OAuth Authorizations API

If you're making OAuth Authorization API calls to manage your OAuth app's authorizations or to create personal access or OAuth tokens like:

curl -u my_username:my_password -X POST "https://api.github.com/authorizations" -d '{"scopes":["public_repo"], "note":"my token", "client_id":"my_client_id", "client_secret":"my_client_secret"}'

Then you must switch to the web application flow to generate access tokens.

Endpoints affected

The following list of OAuth authorization endpoints are deprecated:

If you have any questions or feedback, please let us know!

Deprecating password authentication and OAuth authorizations API

As mentioned in this previous blog post, GitHub has deprecated basic authentication using a username and password.

Deprecation timeline

Brownouts

During a brownout, password authentication will temporarily fail to alert users who haven't migrated their authentication calls.

The brownouts are scheduled for:

  • September 30, 2020

    • From 7:00 AM UTC - 10:00 AM UTC
    • From 4:00 PM UTC - 7:00 PM UTC
  • October 28, 2020

    • From 7:00 AM UTC - 10:00 AM UTC
    • From 4:00 PM UTC - 7:00 PM UTC

Removal

All password authentication will return a status code of 401 starting:

  • November 13, 2020 at 4:00 PM UTC

Changes to make

Using username/password for basic auth

If you're using username and password to make API calls like:

curl -u my_user:my_password https://api.github.com/user/repos

Instead, use a personal access token when testing endpoints or doing local development:

curl -H 'Authorization: token my_access_token' https://api.github.com/user/repos

For OAuth Apps, you should use the web application flow to generate an OAuth token that's also used in the header:

curl -H 'Authorization: token my-oauth-token' https://api.github.com/user/repos

Endpoints affected

All endpoints called using password authentication are affected.

If you have any questions or feedback, please let us know!

Deprecating API authentication through query parameters

As mentioned in this previous blog post, GitHub has deprecated authentication through query parameters.

Deprecation timeline

Brownouts

During a brownout, authentication using query parameters will temporarily fail to alert users who haven't migrated their authentication calls.

The brownouts are scheduled for:

  • September 30, 2020

    • From 7:00 AM UTC - 10:00 AM UTC
    • From 4:00 PM UTC - 7:00 PM UTC
  • October 28, 2020

    • From 7:00 AM UTC - 10:00 AM UTC
    • From 4:00 PM UTC - 7:00 PM UTC

Removal date

All authentication using query parameters will return a status code of 401 like all other auth failures starting on:

  • November 13, 2020 at 4:00 PM UTC

Changes to make

Starting on November 13th, using access_token as a query parameter to access the API (as a user or as a GitHub App) or using client_id/client_secret to make OAuth app unauthenticated calls will be disabled. For examples, see below.

Common uses of access_token as a query param include:

Using access_token as a query param

If you're currently making an API call similar to

curl "https://api.github.com/user/repos?access_token=my_access_token"

Instead, you should send the token in the header:

curl -H 'Authorization: token my_access_token' https://api.github.com/user/repos

For details on how to generate a token, see "Creating a personal access token."

For details on how to set the token, see these guidelines.

Using client_id/client_secret as a query param

If you're using an OAuth app's client_id and client_secret to make unauthenticated calls with a higher rate limit similar to

curl "https://api.github.com/user/repos?client_id=my_client_id&client_secret=my_secret_id"

Instead, you should use the following format:

curl -u my_client_id:my_client_secret https://api.github.com/user/repos

Endpoints affected

All requests to endpoints that use the above style of authentication are affected.

If you have any questions or feedback, please let us know!

Automatically marking old incomplete check runs as `stale`

If a check run is in an incomplete state for more than 14 days, GitHub will automatically change the check run's conclusion to stale. The new stale state will be denoted with the symbol and behaves similarly to the timed_out and canceled conclusions. When GitHub marks a check run as stale, a check run webhook event is triggered.

This will prevent old incomplete check runs from stopping apps that rely on the completed check suite event to trigger a flow.

Only GitHub can mark check runs as stale. For more information about possible conclusions of a check run, see the conclusion parameter.

This new behavior will go into effect after February 26th, 2020. All incomplete check runs older than 14 days will be marked stale. This feature will roll out slowly over a couple of days.

Actions API

GitHub Actions is available with GitHub Free, GitHub Pro, GitHub Team, GitHub Enterprise Cloud, and GitHub One. GitHub Actions is not available for repositories owned by accounts using legacy per-repository plans. For more information, see GitHub's products in the GitHub Help documentation.

UPDATE (2020-02-19): The Actions API now includes the new List artifacts for a repository endpoint.

UPDATE (2020-02-18): The Actions API for workflow runs will replace check_suite_id with check_suite_url in responses to better adhere to API conventions.

The Actions API enables you to manage GitHub Actions using the REST API. This includes the management of Secrets and Self-hosted runners.

The following endpoints in the Actions API are available for you to use:

During the public beta period, we may change aspects of these APIs based on developer feedback. If we do, we will announce the changes here on the developer blog, but we will not provide any advance notice.

If you have any questions or feedback, please let us know!

Creating a repository dispatch event now official part of GitHub API

The "Creating a repository dispatch event" endpoint no longer requires the everest preview.

 application/vnd.github.everest-preview+json

For more information about this endpoint, see the "Create a repository dispatch event."

Thanks again to everyone that tried out these API features during the preview period.

Moving the teams API

We are announcing a new set of endpoints in the Teams API. The new endpoints will allow us to scale and support the Teams API long-term.

The Team APIs will be moving from a top-level path under /teams/:team_id to a scoped path under the organization that owns the team with a path like /organizations/:org_id/team/:team_id. In this move we also are adding support to making these APIs available under a named path as well with /orgs/:org/teams/:team_slug.

Deprecation timeline

The existing API endpoints will be disabled a year from now at the earliest on February 1st 2021.

What changes to make

If you're already using an API endpoint under /teams/:team_id, the easiest way to update your code is to switch to the /organizations/:org_id/team/:team_id endpoint. If you're unsure what org_id to use, you can find it by retrieving the current team under /teams/:team_id. You'll find the org_id inside the organization hash as the id field in the response.

Note: The endpoint routes using organization and team id use the singular team. The plural form of the route already exists. For example, /organizations/:org_id/teams/:team_slug.

Endpoints affected

These endpoints are being deprecated:

These are the new replacement team API endpoints:

As mentioned, these new replacement team API endpoints are available both as /orgs/:org/teams/:team_slug for name based access, and as /organizations/:org_id/team/:team_id for id based access.

If you have any questions or feedback, please let us know!

Revoke GitHub Apps installation tokens with the REST API

Now you can revoke GitHub App installation tokens using the REST API.

To access this new endpoint during the preview period, you must provide a custom media type in the Accept header:

application/vnd.github.gambit-preview+json

During the preview period, we may change aspects of these API endpoints based on developer feedback. If we do, we will announce the changes here on the developer blog, but we will not provide any advance notice.

For more information, see the "Revoke an installation token" endpoint.

The Source Import API ends preview

The Source Import API is now an official part of the GitHub API.

To use the Source Import API, you no longer need the barred-rock preview.

application/vnd.github.barred-rock-preview

For more information about this API, see "Source Imports API."

Thanks again to everyone that tried out these API features during the preview period.