Expiring user-to-server access tokens for GitHub Apps

April 30, 2020
jakewilkins

Starting today owners of GitHub Apps can choose to have their user-to-server access tokens expire after 8 hours. Expiring user-to-server access tokens help to enforce regular token rotation and reduce the impact of a compromised token.

You can opt-in to this security feature in your App's Settings page under the Beta Features tab.

Once enabled, GitHub will provide a refresh token when your app creates a user-to-server token.

{
  "access_token": "accesstoken",
  "expires_in": "28800",
  "refresh_token": "r1.refreshme",
  "refresh_token_expires_in": "15811200",
  "scope": "",
  "token_type": "bearer"
}

This refresh token is valid for 6 months and can be exchanged for a fresh user-to-server access token (valid for another 8 hours) and a new refresh token:

POST /login/oauth/access_token HTTP/1.1
Host: github.com

grant_type=refresh_token
refresh_token=r1.refreshme
&client_id=xxxxxxxxxx
&client_secret=xxxxxxxxxx

For more information, see "Refreshing user-to-server access tokens."

This content may be out of date. For the newest content, see the API posts on the GitHub Blog.

All of GitHub's Docs are now in one place! You can see Apps, REST API, and GraphQL API on GitHub Docs.

Expiring user-to-server access tokens for GitHub Apps

Recent Posts

This content may be out of date. For the newest content, see the API posts on the GitHub Blog. All of GitHub's Docs are now in one place! You can see Apps, REST API, and GraphQL API on GitHub Docs.

Expiring user-to-server access tokens for GitHub Apps

Recent Posts

This content may be out of date. For the newest content, see the API posts on the GitHub Blog.

All of GitHub's Docs are now in one place! You can see Apps, REST API, and GraphQL API on GitHub Docs.