As mentioned in this previous blog post, GitHub no longer supports authentication through query parameters. Instead, we recommend users move the authentication in the header.
This deprecation has not been applied to GitHub Enterprise offerings yet. We still recommend GitHub Enterprise customers make changes in their applications if possible. Please check the latest Enterprise release notes to learn when this deprecation is initiated and which version of GitHub Enterprise Server will have authorization through query parameters removed.
During a brownout, authentication using query parameters will temporarily fail. The goal is to trigger alerts (assuming there are any) on our customers' services to help them find unmigrated authentication calls.
The brownouts are scheduled for:
May 5, 2021: For 12 hours starting at 14:00 UTC
June 9, 2021: For 24 hours starting at 14:00 UTC
August 11, 2021: For 48 hours starting at 14:00 UTC
All authentication using query parameters will return a status code of 401 like all other auth failures starting on:
- September 8 2021 at 14:00 UTC
Changes to make
Starting on September 8 2021, using
access_token as a query parameter to access the API (as a user or as a GitHub App) or using
client_secret to make OAuth app unauthenticated calls will be disabled. For examples, see below.
Common uses of
access_token as a query param include:
- Direct calls to the GitHub API using personal access tokens
- GitHub Apps that make user-to-server calls on behalf of the user or with Apps using installation tokens to manage repositories.
access_token as a query param
If you're currently making an API call similar to
Instead, you should send the token in the header:
curl -H 'Authorization: token my_access_token' https://api.github.com/user/repos
For details on how to generate a token, see "Creating a personal access token."
For details on how to set the token, see these guidelines.
client_secret as a query param
If you're using an OAuth app's
client_secret to make unauthenticated calls with a higher rate limit similar to
Instead, you should use the following format:
curl -u my_client_id:my_client_secret https://api.github.com/user/repos
All requests to endpoints that use the above style of authentication are affected.
If you have any questions or feedback, please let us know!