Expiring user-to-server access tokens for GitHub Apps

Starting today owners of GitHub Apps can choose to have their user-to-server access tokens expire after 8 hours. Expiring user-to-server access tokens help to enforce regular token rotation and reduce the impact of a compromised token.

You can opt-in to this security feature in your App's Settings page under the Beta Features tab.

Once enabled, GitHub will provide a refresh token when your app creates a user-to-server token.

{
  "access_token": "accesstoken",
  "expires_in": "28800",
  "refresh_token": "r1.refreshme",
  "refresh_token_expires_in": "15811200",
  "scope": "",
  "token_type": "bearer"
}

This refresh token is valid for 6 months and can be exchanged for a fresh user-to-server access token (valid for another 8 hours) and a new refresh token:

POST /login/oauth/access_token HTTP/1.1
Host: github.com

grant_type=refresh_token
refresh_token=r1.refreshme
&client_id=xxxxxxxxxx
&client_secret=xxxxxxxxxx

For more information, see "Refreshing user-to-server access tokens."