We are announcing deprecations that will improve the security of GitHub apps and APIs. We will provide more information during the following few months, including the exact timeline for discontinuing the support of these deprecations.
GitHub is deprecating password authentication to the API. Instead of using password authentication, create a personal access token using your Personal access tokens settings page in limited situations like testing. You should authenticate apps in production by using the web applications flow. For more information, see "Authorizing OAuth Apps."
GitHub is deprecating authentication to the GitHub API using query parameters, such as using a
token query parameter for OAuth user authentication or a
client_secret query parameter for OAuth application authentication.
All authentication to the GitHub API should be done using HTTP basic authentication.
Apps must use the web application flow to obtain OAuth tokens that work with GitHub SAML organizations. OAuth tokens created using the Authorizations API are unable to access resources for GitHub SAML organizations.
GitHub is deprecating the Authorizations API, which includes these endpoints:
Some client-side integrations use the deprecated Authorizations API to create personal access tokens and OAuth access tokens. These tokens must now be created using our web application flow. When appropriate, personal access tokens can still be created by the user on the Personal access tokens page. However, most integrations should register themselves as an OAuth application and use the web application flow to obtain an OAuth access token.
GitHub has replaced several deprecated endpoints with new ones. You can now find both the deprecated and new endpoints in the OAuth Applications API. Specifically, we have deprecated OAuth Applications API endpoints containing an OAuth token as a path parameter:
These new endpoints replace the deprecated endpoints:
Command-line tools now support a web-based flow by using localhost-based redirect URLs and specifying a port. We have extended our support for localhost-based redirect URLs to securely improve the experience of command-line utilities for client-side integrations. Historically these tools have relied on the Authorizations API, and they have not been able to easily register an OAuth URL callback to use with our OAuth web application flow. Please see our documentation on redirect URLs for more information.
If you have any questions or feedback, please let us know!
- Introducing the "Managing enterprise accounts" GraphQL API
November 12, 2019
- Deprecated APIs and authentication
November 5, 2019
- List GitHub App installations for an organization
October 23, 2019
- GitHub Pages features become an official part of the REST API
October 4, 2019
- Multi-line comments
October 3, 2019
- Team sychronization become an official part of REST API
September 24, 2019
- More check annotations are now shown on the "Files changed" tab
September 6, 2019
- Grant GitHub Apps push access to protected branches
September 5, 2019