Expiring user-to-server access tokens for GitHub Apps
Starting today owners of GitHub Apps can choose to have their user-to-server access tokens expire after 8 hours. Expiring user-to-server access tokens help to enforce regular token rotation and reduce the impact of a compromised token.
You can opt-in to this security feature in your App's Settings page under the Beta Features tab.
Once enabled, GitHub will provide a refresh token when your app creates a user-to-server token.
{
"access_token": "accesstoken",
"expires_in": "28800",
"refresh_token": "r1.refreshme",
"refresh_token_expires_in": "15811200",
"scope": "",
"token_type": "bearer"
}
This refresh token is valid for 6 months and can be exchanged for a fresh user-to-server access token (valid for another 8 hours) and a new refresh token:
POST /login/oauth/access_token HTTP/1.1
Host: github.com
grant_type=refresh_token
refresh_token=r1.refreshme
&client_id=xxxxxxxxxx
&client_secret=xxxxxxxxxx
For more information, see "Refreshing user-to-server access tokens."