shithub Public

Watch 1 Fork 0 Star 0

markdown · 2745 bytes Raw Blame History

Personal access tokens

Personal access tokens (PATs) are scoped, expirable credentials you create from your account settings. They're how you authenticate to the API and to git over HTTPS.

PATs are not passwords:

They have an expiration.
They have scopes — a token cannot do what its scopes don't grant.
They are listed in your settings with a "last used" timestamp.
They can be revoked individually without changing your password.

Scopes

Pick the smallest set the consumer needs.

Scope	What it allows
`repo:read`	Read repos you can already see (public + your private + collabs).
`repo`	Above + push, manage settings on repos you own/admin.
`user:read`	Read your profile + email.
`user`	Above + edit profile, emails.
`notifications`	Read + mark-read your notification inbox.
`webhooks`	Manage webhooks on repos you own/admin.
`admin:org`	Org management (membership, teams) for orgs you admin.
`gist`	Reserved for future Gists feature; non-functional today.

Scopes only grant; they never elevate. A repo scope on your PAT cannot push to a repo you don't have write access to.

Creating a PAT

Settings → Developer settings → Personal access tokens → "New token".

Note — what is this token for? "ci-runner staging" beats "test1".
Expiration — pick the smallest tolerable; 90 days is a reasonable default. "Never" is available but discouraged.
Scopes — check only what you need.

The token is displayed once. Copy it now; we cannot show it to you again. If you lose it, revoke and re-create.

Token format

Tokens are 40 characters of base32 with a shp_ prefix:

shp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

The prefix is recognized by GitHub-style secret-scanning tools. If you accidentally publish a token, secret scanners may notify you (and us); revoke immediately.

Using a PAT

Git over HTTPS: username = your shithub username, password = the PAT. See HTTPS clone.
API: Authorization: Bearer <token> or Authorization: token <token>.

Revoking

Settings → Developer settings → Personal access tokens shows every PAT on the account. Click "Revoke" — the token stops working immediately. Anything using it will get 401.

If you suspect a token leaked, revoke first and investigate after.

View source

  
        1
        # Personal access tokens
      
        2
        
        3
        Personal access tokens (PATs) are scoped, expirable credentials
      
        4
        you create from your account settings. They're how you
      
        5
        authenticate to the API and to git over HTTPS.
      
        6
        
        7
        PATs are **not** passwords:
      
        8
        
        9
        - They have an expiration.
      
        10
        - They have scopes — a token cannot do what its scopes don't grant.
      
        11
        - They are listed in your settings with a "last used" timestamp.
      
        12
        - They can be revoked individually without changing your password.
      
        13
        
        14
        ## Scopes
      
        15
        
        16
        Pick the smallest set the consumer needs.
      
        17
        
        18
        | Scope          | What it allows                                                       |
      
        19
        |----------------|----------------------------------------------------------------------|
      
        20
        | `repo:read`    | Read repos you can already see (public + your private + collabs).    |
      
        21
        | `repo`         | Above + push, manage settings on repos you own/admin.                |
      
        22
        | `user:read`    | Read your profile + email.                                           |
      
        23
        | `user`         | Above + edit profile, emails.                                        |
      
        24
        | `notifications`| Read + mark-read your notification inbox.                            |
      
        25
        | `webhooks`     | Manage webhooks on repos you own/admin.                              |
      
        26
        | `admin:org`    | Org management (membership, teams) for orgs you admin.               |
      
        27
        | `gist`         | Reserved for future Gists feature; non-functional today.             |
      
        28
        
        29
        Scopes only **grant**; they never elevate. A `repo` scope on your
      
        30
        PAT cannot push to a repo you don't have write access to.
      
        31
        
        32
        ## Creating a PAT
      
        33
        
        34
        Settings → Developer settings → Personal access tokens → "New
      
        35
        token".
      
        36
        
        37
        - **Note** — what is this token for? "ci-runner staging" beats
      
        38
          "test1".
      
        39
        - **Expiration** — pick the smallest tolerable; 90 days is a
      
        40
          reasonable default. "Never" is available but discouraged.
      
        41
        - **Scopes** — check only what you need.
      
        42
        
        43
        The token is displayed **once**. Copy it now; we cannot show it
      
        44
        to you again. If you lose it, revoke and re-create.
      
        45
        
        46
        ## Token format
      
        47
        
        48
        Tokens are 40 characters of base32 with a `shp_` prefix:
      
        49
        
        50
        ```
      
        51
        shp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
      
        52
        ```
      
        53
        
        54
        The prefix is recognized by GitHub-style secret-scanning tools.
      
        55
        If you accidentally publish a token, secret scanners may notify
      
        56
        you (and us); revoke immediately.
      
        57
        
        58
        ## Using a PAT
      
        59
        
        60
        - **Git over HTTPS:** username = your shithub username, password
      
        61
          = the PAT. See [HTTPS clone](./https.md).
      
        62
        - **API:** `Authorization: Bearer <token>` or `Authorization:
      
        63
          token <token>`.
      
        64
        
        65
        ## Revoking
      
        66
        
        67
        Settings → Developer settings → Personal access tokens shows every
      
        68
        PAT on the account. Click "Revoke" — the token stops working
      
        69
        immediately. Anything using it will get `401`.
      
        70
        
        71
        If you suspect a token leaked, revoke first and investigate after.

1	# Personal access tokens
2
3	Personal access tokens (PATs) are scoped, expirable credentials
4	you create from your account settings. They're how you
5	authenticate to the API and to git over HTTPS.
6
7	PATs are not passwords:
8
9	- They have an expiration.
10	- They have scopes — a token cannot do what its scopes don't grant.
11	- They are listed in your settings with a "last used" timestamp.
12	- They can be revoked individually without changing your password.
13
14	## Scopes
15
16	Pick the smallest set the consumer needs.
17
18	\| Scope \| What it allows \|
19	\|----------------\|----------------------------------------------------------------------\|
20	\| `repo:read` \| Read repos you can already see (public + your private + collabs). \|
21	\| `repo` \| Above + push, manage settings on repos you own/admin. \|
22	\| `user:read` \| Read your profile + email. \|
23	\| `user` \| Above + edit profile, emails. \|
24	\| `notifications`\| Read + mark-read your notification inbox. \|
25	\| `webhooks` \| Manage webhooks on repos you own/admin. \|
26	\| `admin:org` \| Org management (membership, teams) for orgs you admin. \|
27	\| `gist` \| Reserved for future Gists feature; non-functional today. \|
28
29	Scopes only grant; they never elevate. A `repo` scope on your
30	PAT cannot push to a repo you don't have write access to.
31
32	## Creating a PAT
33
34	Settings → Developer settings → Personal access tokens → "New
35	token".
36
37	- Note — what is this token for? "ci-runner staging" beats
38	"test1".
39	- Expiration — pick the smallest tolerable; 90 days is a
40	reasonable default. "Never" is available but discouraged.
41	- Scopes — check only what you need.
42
43	The token is displayed once. Copy it now; we cannot show it
44	to you again. If you lose it, revoke and re-create.
45
46	## Token format
47
48	Tokens are 40 characters of base32 with a `shp_` prefix:
49
50	```
51	shp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
52	```
53
54	The prefix is recognized by GitHub-style secret-scanning tools.
55	If you accidentally publish a token, secret scanners may notify
56	you (and us); revoke immediately.
57
58	## Using a PAT
59
60	- Git over HTTPS: username = your shithub username, password
61	= the PAT. See [HTTPS clone](./https.md).
62	- API: `Authorization: Bearer <token>` or `Authorization:
63	token <token>`.
64
65	## Revoking
66
67	Settings → Developer settings → Personal access tokens shows every
68	PAT on the account. Click "Revoke" — the token stops working
69	immediately. Anything using it will get `401`.
70
71	If you suspect a token leaked, revoke first and investigate after.