Recommendation: Reset OAuth authorizations

As announced earlier today, we are actively responding to the recently-disclosed Heartbleed security vulnerability in OpenSSL. While at this time GitHub has no indication that the attack has been used beyond testing the vulnerability, we recommend that integrators reset the API authorizations for their OAuth applications.

We've added a new API method for this exact purpose. Calling this method will invalidate the old token and return a new token for applications to store and use in its place. This new method provides a safe way to reset user authorizations without requiring users to re-authorize the application on the web.

Integrators can also use the existing revocation methods to revoke all tokens or revoke a single token for their applications.

UPDATE (2016-01-25): API v3 no longer provides a method to revoke all of an application's tokens as previously referenced above. If you need to revoke all tokens for your application, you can do so via the settings page for your application.

If you have any questions or feedback, please get in touch.