Deprecating password authentication and OAuth authorizations API

As mentioned in this previous blog post, GitHub has deprecated basic authentication using a username and password.

Deprecation timeline

Brownouts

During a brownout, password authentication will temporarily fail to alert users who haven't migrated their authentication calls.

The brownouts are scheduled for:

  • September 30, 2020

    • From 7:00 AM UTC - 10:00 AM UTC
    • From 4:00 PM UTC - 7:00 PM UTC
  • October 28, 2020

    • From 7:00 AM UTC - 10:00 AM UTC
    • From 4:00 PM UTC - 7:00 PM UTC

Removal

All password authentication will return a status code of 401 starting:

  • November 13, 2020 at 4:00 PM UTC

Changes to make

Using username/password for basic auth

If you're using username and password to make API calls like:

curl -u my_user:my_password https://api.github.com/user/repos

Instead, use a personal access token when testing endpoints or doing local development:

curl -H 'Authorization: token my_access_token' https://api.github.com/user/repos

For OAuth Apps, you should use the web application flow to generate an OAuth token that's also used in the header:

curl -H 'Authorization: token my-oauth-token' https://api.github.com/user/repos

Endpoints affected

All endpoints called using password authentication are affected.

If you have any questions or feedback, please let us know!