Deprecating API authentication through query parameters

As mentioned in this previous blog post, GitHub no longer supports authentication through query parameters. Instead, we recommend users move the authentication in the header.

This deprecation has not been applied to GitHub Enterprise offerings yet. We still recommend GitHub Enterprise customers make changes in their applications if possible. Please check the latest Enterprise release notes to learn when this deprecation is initiated and which version of GitHub Enterprise Server will have authorization through query parameters removed.

Deprecation timeline

Brownouts

During a brownout, authentication using query parameters will temporarily fail. The goal is to trigger alerts (assuming there are any) on our customers' services to help them find unmigrated authentication calls.

The brownouts are scheduled for:

  • September 30, 2020

    • From 7:00 AM UTC - 10:00 AM UTC
    • From 4:00 PM UTC - 7:00 PM UTC
  • October 28, 2020

    • From 7:00 AM UTC - 10:00 AM UTC
    • From 4:00 PM UTC - 7:00 PM UTC

Removal date

All authentication using query parameters will return a status code of 401 like all other auth failures starting on:

  • November 13, 2020 at 4:00 PM UTC

Changes to make

Starting on November 13th, using access_token as a query parameter to access the API (as a user or as a GitHub App) or using client_id/client_secret to make OAuth app unauthenticated calls will be disabled. For examples, see below.

Common uses of access_token as a query param include:

Using access_token as a query param

If you're currently making an API call similar to

curl "https://api.github.com/user/repos?access_token=my_access_token"

Instead, you should send the token in the header:

curl -H 'Authorization: token my_access_token' https://api.github.com/user/repos

For details on how to generate a token, see "Creating a personal access token."

For details on how to set the token, see these guidelines.

Using client_id/client_secret as a query param

If you're using an OAuth app's client_id and client_secret to make unauthenticated calls with a higher rate limit similar to

curl "https://api.github.com/user/repos?client_id=my_client_id&client_secret=my_secret_id"

Instead, you should use the following format:

curl -u my_client_id:my_client_secret https://api.github.com/user/repos

Endpoints affected

All requests to endpoints that use the above style of authentication are affected.

If you have any questions or feedback, please let us know!