Deprecating OAuth Authorization API

As mentioned in this previous blog post, GitHub has deprecated the OAuth authorization endpoints and recommends that integrators switch to the web application flow to generate access tokens.

Since the OAuth Authorization API requires password authentication, this API will not work once password authentication has been deprecated.

This deprecation has not been applied to GitHub Enterprise offerings, yet. Though, we still recommend GHES customers to make the changes in their applications, if possible. Please check the latest Enterprise release notes to learn when deprecation is initiated and on which GHES version OAuth Authorization API will be removed.

Deprecation timeline

Removal date

All calls to the OAuth authorization endpoints will return a status code of 404 starting on:

  • November 13, 2020 at 4:00 PM UTC

Brownouts

During a brownout, calls to the old version of the OAuth Authorization API will temporarily fail. The goal is to trigger alerts (assuming there are any) on our customers' services to help find unmigrated endpoint calls.

The brownouts are scheduled for:

  • September 30, 2020

    • From 7:00 AM UTC - 10:00 AM UTC
    • From 4:00 PM UTC - 7:00 PM UTC
  • October 28, 2020

    • From 7:00 AM UTC - 10:00 AM UTC
    • From 4:00 PM UTC - 7:00 PM UTC

Changes to make

Calls to OAuth Authorizations API

If you're making OAuth Authorization API calls to manage your OAuth app's authorizations or to create personal access or OAuth tokens like:

curl -u my_username:my_password -X POST "https://api.github.com/authorizations" -d '{"scopes":["public_repo"], "note":"my token", "client_id":"my_client_id", "client_secret":"my_client_secret"}'

Then you must switch to the web application flow to generate access tokens.

Endpoints affected

The following list of OAuth authorization endpoints are deprecated:

If you have any questions or feedback, please let us know!