Deprecating API authentication through query parameters

February 10, 2020
jovel
jpemberthy
ptoomey3

As mentioned in this previous blog post, GitHub no longer supports authentication through query parameters. Instead, we recommend users move the authentication in the header.

This deprecation has not been applied to GitHub Enterprise offerings yet. We still recommend GitHub Enterprise customers make changes in their applications if possible. Please check the latest Enterprise release notes to learn when this deprecation is initiated and which version of GitHub Enterprise Server will have authorization through query parameters removed.

Deprecation timeline

Brownouts

During a brownout, authentication using query parameters will temporarily fail. The goal is to trigger alerts (assuming there are any) on our customers' services to help them find unmigrated authentication calls.

The brownouts are scheduled for:

May 5, 2021: For 12 hours starting at 14:00 UTC
June 9, 2021: For 24 hours starting at 14:00 UTC
August 11, 2021: For 48 hours starting at 14:00 UTC

Removal date

All authentication using query parameters will return a status code of 401 like all other auth failures starting on:

September 8 2021 at 14:00 UTC

Changes to make

Starting on September 8 2021, using access_token as a query parameter to access the API (as a user or as a GitHub App) or using client_id/client_secret to make OAuth app unauthenticated calls will be disabled. For examples, see below.

Common uses of access_token as a query param include:

Direct calls to the GitHub API using personal access tokens
GitHub Apps that make user-to-server calls on behalf of the user or with Apps using installation tokens to manage repositories.

Using access_token as a query param

If you're currently making an API call similar to

curl "https://api.github.com/user/repos?access_token=my_access_token"

Instead, you should send the token in the header:

curl -H 'Authorization: token my_access_token' https://api.github.com/user/repos

For details on how to generate a token, see "Creating a personal access token."

For details on how to set the token, see these guidelines.

Using client_id/client_secret as a query param

If you're using an OAuth app's client_id and client_secret to make unauthenticated calls with a higher rate limit similar to

curl "https://api.github.com/user/repos?client_id=my_client_id&client_secret=my_secret_id"

Instead, you should use the following format:

curl -u my_client_id:my_client_secret https://api.github.com/user/repos

Endpoints affected

All requests to endpoints that use the above style of authentication are affected.

If you have any questions or feedback, please let us know!

This content may be out of date. For the newest content, see the API posts on the GitHub Blog.

All of GitHub's Docs are now in one place! You can see Apps, REST API, and GraphQL API on GitHub Docs.