We are announcing deprecations that will improve the security of GitHub apps and APIs, but we haven't removed anything yet. We hope that communicating this information early will help you plan for the authentication and authorization changes you will need to make.
We will provide more information during the following few months, including the exact timeline for discontinuing the support of these deprecations. While we are not removing anything right now, we will follow up with a blog post that outlines the changes and the timeline in which we will no longer support the following deprecated endpoints and authentication methods.
GitHub is deprecating password authentication to the API. Instead of using password authentication, create a personal access token using your Personal access tokens settings page in limited situations like testing. You should authenticate apps in production by using the web applications flow. For more information, see "Authorizing OAuth Apps."
GitHub is deprecating authentication to the GitHub API using query parameters, such as using a
access_token query parameter for OAuth user authentication or a
client_secret query parameter for OAuth application authentication. All authentication to the GitHub API should be done using HTTP basic authentication.
Apps must use the web application flow to obtain OAuth tokens that work with GitHub SAML organizations. OAuth tokens created using the Authorizations API are unable to access resources for GitHub SAML organizations.
GitHub is deprecating the Authorizations API, which includes these endpoints:
Some client-side integrations use the deprecated Authorizations API to create personal access tokens and OAuth access tokens. These tokens must now be created using our web application flow. When appropriate, personal access tokens can still be created by the user on the Personal access tokens page. However, most integrations should register themselves as an OAuth application and use the web application flow to obtain an OAuth access token.
GitHub has replaced several deprecated endpoints with new ones. You can now find both the deprecated and new endpoints in the OAuth Applications API. Specifically, we have deprecated OAuth Applications API endpoints containing an OAuth token as a path parameter:
These new endpoints replace the deprecated endpoints:
Command-line tools now support a web-based flow by using localhost-based redirect URLs and specifying a port. We have extended our support for localhost-based redirect URLs to securely improve the experience of command-line utilities for client-side integrations. Historically these tools have relied on the Authorizations API, and they have not been able to easily register an OAuth URL callback to use with our OAuth web application flow. Please see our documentation on redirect URLs for more information.
If you have any questions or feedback, please let us know!
- GitHub Actions API - Introducing workflow usage endpoints
May 15, 2020
- Introducing the skipped check run and check suite conclusion
May 8, 2020
- Suspending GitHub App installations
May 1, 2020
- Expiring user-to-server access tokens for GitHub Apps
April 30, 2020
- Replacing the GitHub Apps "Creating an installation access token" endpoint
April 15, 2020
- Replacing the integration_installation and integration_installation_repositories webhook events
April 15, 2020
- Expanding REST API support for triage and maintain roles
April 7, 2020
- Shadow-cat and Gambit previews graduate
April 7, 2020