Deprecating password authentication

As mentioned in this previous blog post, GitHub no longer supports basic authentication using a username and password. Instead, we recommend using personal access tokens or the web application flow.

This deprecation has not been applied to GitHub Enterprise offerings yet. Please check the latest Enterprise release notes to learn when this deprecation is initiated and which version of GitHub Enterprise Server will have password authentication removed.

Deprecation timeline


During a brownout, password authentication will temporarily fail. The goal is to trigger alerts (assuming there are any) on our customers' services to help find unmigrated endpoint calls.

The brownouts are scheduled for:

  • September 30, 2020

    • From 07:00 UTC to 10:00 UTC
    • From 16:00 UTC to 19:00 UTC
  • October 28, 2020

    • From 07:00 UTC to 10:00 UTC
    • From 16:00 UTC to 19:00 UTC


All password authentication will return a status code of 401 starting:

  • November 13, 2020 at 16:00 UTC

Changes to make

Using username/password for basic auth

If you're using username and password to make API calls like:

curl -u my_user:my_password

Instead, use a personal access token when testing endpoints or doing local development:

curl -H 'Authorization: token my_access_token'

For OAuth Apps, you should use the web application flow to generate an OAuth token that's also used in the header:

curl -H 'Authorization: token my-oauth-token'

Endpoints affected

All endpoints called using password authentication are affected.

If you have any questions or feedback, please let us know!