Deprecating OAuth Application API

As mentioned in this previous blog post, GitHub has deprecated the OAuth application endpoints and have replaced them with a version that moves the access token in the request body for security.

Deprecation timeline

Brownouts

During a brownout, calls to the old version of OAuth application endpoints will temporarily fail to alert users who haven't migrated their authentication calls.

The brownouts are scheduled for:

  • May 15, 2020

    • From 7:00 AM UTC - 10:00 AM UTC
    • From 4:00 PM UTC - 7:00 PM UTC
  • June 12, 2020

    • From 7:00 AM UTC - 10:00 AM UTC
    • From 4:00 PM UTC - 7:00 PM UTC

Removal date

All calls to the old version of the OAuth application endpoints will return a status code of 404 starting on:

  • July 1, 2020 at 4:00 PM UTC

Changes to make

Using calls to OAuth Application API

If you're using the version of the OAuth Application API that includes :access_token in the path like:

curl -u my_client_id:my_client_secret -X POST "https://api.github.com/applications/123/tokens/my_access_token"

Instead, you'll need to call the new version that moves :access_token in the request body:

curl -u my_client_id:my_client_secret -X PATCH "https://api.github.com/applications/123/token -d {"access_token": "my_access_token"}"

See the list of OAuth application endpoints below that you'll need to replace with the new endpoints.

Endpoints affected

The following list of OAuth Application endpoints are deprecated and should be replaced with the new corresponding endpoints.

Deprecated Endpoint Deprecated Path New Endpoint New Path
Check an authorization GET /applications/:client_id/tokens/:access_token Check a token POST /applications/:client_id/token
Reset an authorization POST /applications/:client_id/tokens/:access_token Reset a token PATCH /applications/:client_id/token
Revoke app authorization DELETE /applications/:client_id/tokens/:access_token Delete app token DELETE /applications/:client_id/token
Revoke app grant DELETE /applications/:client_id/grants/:access_token Delete app authorization DELETE /applications/:client_id/grant

If you have any questions or feedback, please let us know!