Deprecated APIs and authentication
We are announcing deprecations that will improve the security of GitHub apps and APIs, but we haven't removed anything yet. We hope that communicating this information early will help you plan for the authentication and authorization changes you will need to make.
Deprecation timeline
We will provide more information during the following few months, including the exact timeline for discontinuing the support of these deprecations. While we are not removing anything right now, we will follow up with a blog post that outlines the changes and the timeline in which we will no longer support the following deprecated endpoints and authentication methods.
Authenticating using passwords
GitHub is deprecating password authentication to the API. Instead of using password authentication, create a personal access token using your Personal access tokens settings page in limited situations like testing. You should authenticate apps in production by using the web applications flow. For more information, see "Authorizing OAuth Apps."
Authenticating using query parameters
GitHub is deprecating authentication to the GitHub API using query parameters, such as using a access_token query parameter for OAuth user authentication or a client_id/client_secret query parameter for OAuth application authentication. All authentication to the GitHub API should be done using HTTP basic authentication.
Authenticating with SAML organizations
Apps must use the web application flow to obtain OAuth tokens that work with GitHub SAML organizations. OAuth tokens created using the Authorizations API are unable to access resources for GitHub SAML organizations.
Deprecating and adding endpoints for the OAuth Authorizations and OAuth Applications APIs
GitHub is deprecating the Authorizations API, which includes these endpoints:
GET /authorizationsGET /authorizations/:authorization_idPOST /authorizationsPUT /authorizations/clients/:client_idPUT /authorizations/clients/:client_id/:fingerprintPATCH /authorizations/:authorization_idDELETE /authorizations/:authorization_idGET /applications/grantsGET /applications/grants/:grant_idDELETE /applications/grants/:grant_id
Some client-side integrations use the deprecated Authorizations API to create personal access tokens and OAuth access tokens. These tokens must now be created using our web application flow. When appropriate, personal access tokens can still be created by the user on the Personal access tokens page. However, most integrations should register themselves as an OAuth application and use the web application flow to obtain an OAuth access token.
GitHub has replaced several deprecated endpoints with new ones. You can now find both the deprecated and new endpoints in the OAuth Applications API. Specifically, we have deprecated OAuth Applications API endpoints containing an OAuth token as a path parameter:
GET /applications/:client_id/tokens/:access_tokenPOST /applications/:client_id/tokens/:access_tokenDELETE /applications/:client_id/tokens/:access_tokenDELETE /applications/:client_id/grants/:access_token
These new endpoints replace the deprecated endpoints:
POST /applications/:client_id/tokenPATCH /applications/:client_id/tokenDELETE /applications/:client_id/tokenDELETE /applications/:client_id/grant
Updating command-line utilities to use localhost-based redirect URLs
Command-line tools now support a web-based flow by using localhost-based redirect URLs and specifying a port. We have extended our support for localhost-based redirect URLs to securely improve the experience of command-line utilities for client-side integrations. Historically these tools have relied on the Authorizations API, and they have not been able to easily register an OAuth URL callback to use with our OAuth web application flow. Please see our documentation on redirect URLs for more information.
If you have any questions or feedback, please let us know!