Deprecating password authentication

February 14, 2020
jovel
jpemberthy
ptoomey3

As mentioned in this previous blog post, GitHub no longer supports basic authentication using a username and password. Instead, we recommend using personal access tokens or the web application flow.

This deprecation has not been applied to GitHub Enterprise offerings yet. Please check the latest Enterprise release notes to learn when this deprecation is initiated and which version of GitHub Enterprise Server will have password authentication removed.

Deprecation timeline

Brownouts

During a brownout, password authentication will temporarily fail. The goal is to trigger alerts (assuming there are any) on our customers' services to help find unmigrated endpoint calls.

The brownouts are scheduled for:

September 30, 2020
- From 07:00 UTC to 10:00 UTC
- From 16:00 UTC to 19:00 UTC
October 28, 2020
- From 07:00 UTC to 10:00 UTC
- From 16:00 UTC to 19:00 UTC

Removal

All password authentication will return a status code of 401 starting:

November 13, 2020 at 16:00 UTC

Changes to make

Using username/password for basic auth

If you're using username and password to make API calls like:

curl -u my_user:my_password https://api.github.com/user/repos

Instead, use a personal access token when testing endpoints or doing local development:

curl -H 'Authorization: token my_access_token' https://api.github.com/user/repos

For OAuth Apps, you should use the web application flow to generate an OAuth token that's also used in the header:

curl -H 'Authorization: token my-oauth-token' https://api.github.com/user/repos

Endpoints affected

All endpoints called using password authentication are affected.

If you have any questions or feedback, please let us know!

This content may be out of date. For the newest content, see the API posts on the GitHub Blog.

All of GitHub's Docs are now in one place! You can see Apps, REST API, and GraphQL API on GitHub Docs.