Summarize this article with:
GitHub deprecated password authentication for Git operations in 2021. Now you need tokens.
Learning how to get a GitHub token takes about 3 minutes and unlocks command line access, CI/CD pipeline automation, and REST API requests for your projects.
Without a valid personal access token, you cannot push code, trigger automated deployments, or authenticate third-party tools with your repositories.
This guide walks through both token types: fine-grained and classic.
You will learn exact navigation paths, permission configurations, secure storage methods, and troubleshooting steps for common authentication errors.
Works for GitHub.com and GitHub Enterprise accounts.
What Is a GitHub Token?
A GitHub token is an authentication credential that grants programmatic access to repositories and API endpoints without using your account password.
Developers need personal access tokens when pushing code via command line, running CI/CD pipelines, or building applications that interact with GitHub’s platform.
This guide covers the complete token generation process in 5 steps, requiring 3-5 minutes and a verified GitHub account.
Prerequisites
Before generating your access token, confirm these requirements:
- GitHub account (free or paid tier)
- Verified email address linked to your account
- Two-factor authentication status (recommended but not required)
- Browser access to github.com
Time estimate: 3-5 minutes.
Skill level: Beginner.
How Do You Access GitHub Developer Settings?
Navigate to your profile photo in the upper-right corner of any GitHub page, click Settings, then scroll to Developer settings at the bottom of the left sidebar to find the Personal access tokens menu.
Action
Click your profile photo (upper-right corner) > Settings.
Scroll down the left sidebar to Developer settings (last option).
Select Personal access tokens > choose either Fine-grained tokens or Tokens (classic).
Purpose
Developer settings centralizes all credential management for API integrations, OAuth apps, and token creation.
How Do You Choose Between Fine-Grained and Classic Tokens?
GitHub offers two token types with different permission models and security levels.
Your choice depends on repository scope, organization policies, and specific use cases.
Fine-Grained Personal Access Tokens
Repository-specific permissions with granular access control.
Each token targets a single user or organization.
Organization owners can require approval before activation.
Best For
- Private repository access
- Organization projects with security requirements
- CI workflows needing minimal permissions
- Production environments
Personal Access Tokens (Classic)
Broad scope-based permissions across all accessible repositories.
Simpler setup with predefined permission categories.
Best For
- Open source contributions to external repos
- Cross-organization access
- Legacy integrations requiring classic scopes
- Quick testing and local development
Quick Comparison
| Feature | Fine-Grained PAT | Classic PAT |
| Repository Targeting | Specific repos only (Selection) | All repos accessible by the user. |
| Permission Granularity | 50+ individual permissions. | Broad, “all-or-nothing” scopes. |
| Organization Control | Requires Admin approval (optional). | No oversight by organization admins. |
| Expiration Policy | Mandatory (Max 1 year). | Can be set to “No Expiration” (Unsafe). |
| Security Risk | Low (Blast radius is contained). | High (Full account access). |
How Do You Create a Fine-Grained Personal Access Token?
Generate a fine-grained token by selecting specific repositories, setting an expiration date, and choosing individual permissions from the Developer settings page; the token appears once after creation.
Action
Navigate to Settings > Developer settings > Personal access tokens > Fine-grained tokens.
Click Generate new token.
Token Name
Enter a descriptive name identifying the token’s purpose (example: “CI-Pipeline-Prod” or “Local-Dev-Testing”).
Expiration
Select from dropdown: 7 days, 30 days, 60 days, 90 days, or custom date.
GitHub recommends shorter expiration periods for token-based authentication security.
Resource Owner
Choose your personal account or an organization you belong to.
Organization-owned tokens require admin approval if that policy is enabled.
Repository Access
- Public repositories only – read access to public repos
- All repositories – access to all repos under resource owner
- Only select repositories – pick specific repos from dropdown
Permissions
Expand Repository permissions and Account permissions sections.
Set each permission to No access, Read, or Read and write.
Common selections for version control operations:
- Contents: Read and write (for push/pull)
- Metadata: Read (required for all tokens)
- Pull requests: Read and write
- Actions: Read (for workflow automation)
Purpose
Fine-grained tokens reduce attack surface by limiting access to only necessary repositories and operations.
If credentials leak, exposure stays contained to specified resources.
How Do You Create a Personal Access Token (Classic)?
Generate a classic token by navigating to Developer settings, selecting Tokens (classic), choosing permission scopes, and setting an expiration date; the token value displays once after creation.
Action
Go to Settings > Developer settings > Personal access tokens > Tokens (classic).
Click Generate new token > Generate new token (classic).
Note Field
Enter a description identifying the token purpose: “deploy-script-production” or “local-git-operations”.
Expiration
Select from dropdown: 7 days, 30 days, 60 days, 90 days, custom, or No expiration.
Tokens without expiration pose security risks; use short-lived credentials for production environments.
Select Scopes
Check boxes for required permissions:
- repo – full control of private repositories (includes repo:status, repodeployment, publicrepo, repo:invite)
- workflow – update build pipeline files
- write:packages – upload packages to GitHub Package Registry
- delete:packages – delete packages from GitHub Package Registry
- admin:org – full control of organizations
- gist – create gists
- read:org – read organization membership
Click Generate token at page bottom.
Purpose
Classic tokens work across all repositories you can access, making them suitable for scripts that interact with multiple repos or external open source projects.
How Do You Set Token Permissions?
Permission configuration determines what operations your token can perform across repositories, organizations, and account settings.
Fine-Grained Permission Categories
Repository Permissions
- Actions – workflow runs and artifacts
- Administration – repository settings and teams
- Contents – repository files and commits
- Deployments – deployment statuses and environments
- Environments – environment secrets and protection rules
- Issues – issue tracking and labels
- Metadata – search, list, and basic repo info (always required)
- Pull requests – PR management and reviews
Account Permissions
- Email addresses – read user email addresses
- Followers – manage following relationships
- GPG keys – manage GPG signing keys
- SSH signing keys – manage SSH keys for signing
- Starring – star/unstar repositories
Classic Scope Reference
Classic tokens use broader scope categories:
| Scope / Permission | Access Level | Best For |
repo (Classic) | Full control of private/public repos, hooks, and settings. | Power users; legacy scripts. |
Contents (Fine-grained) | Read/Write access to code, branches, and tags. | Standard dev work (Push/Pull). |
public_repo | Access to public repositories only. | Open-source contributors. |
Metadata | Basic repo info (names, descriptions). | Monitoring tools; required for most API calls. |
Statuses | Commit status (Pass/Fail) read and write. | CI/CD pipelines and testing bots. |
Workflows | Create/Update .github/workflows YAML files. | Automating GitHub Actions. |
Administration | Manage settings, collaborators, and repo deletion. | Team leads and repo owners. |
How Do You Copy and Store Your Token Securely?
Copy your token immediately after generation using the clipboard icon; GitHub displays the token value only once and cannot recover it later.
Action
Click the copy icon next to your new token.
Store in a password manager (1Password, Bitwarden, LastPass) or secure secrets vault.
Never commit tokens to Git repositories.
Environment Variables
For local development, store tokens as environment variables:
- macOS/Linux:
export GITHUBTOKEN=ghpxxxxxxxxxxxx - Windows:
set GITHUBTOKEN=ghpxxxxxxxxxxxx
Reference in scripts using $GITHUBTOKEN or %GITHUBTOKEN%.
CI/CD Secrets
Store tokens in your deployment automation platform’s secrets manager:
- GitHub Actions: Settings > Secrets and variables > Actions
- GitLab CI: Settings > CI/CD > Variables
- Jenkins: Credentials > System > Global credentials
Security Practices
Rotate tokens every 30-90 days.
Use separate tokens for different applications or environments.
Revoke tokens immediately if exposed.
Verification
Confirm your token works before deploying to production systems.
Command Line Test
Test repository cloning with your token:
git clone https://<token>@github.com/username/repository.git
Expected result: Repository clones without password prompt.
API Test
Verify API access with curl:
curl -H "Authorization: Bearer ghpxxxxxxxxxxxx" https://api.github.com/user
Expected result: JSON response with your account information.
GitHub CLI Test
Authenticate using GitHub CLI:
gh auth login --with-token < token.txt
Check status: gh auth status
Troubleshooting
Authentication Failed Error
Issue: fatal: Authentication failed for repository
Solution: Verify token has repo scope (classic) or Contents permission (fine-grained); confirm token hasn’t expired; check for typos when copying.
Token Permissions Insufficient
Issue: 403 Forbidden or Resource not accessible by integration
Solution: Generate new token with additional permissions; for fine-grained tokens, add specific repository to token access list.
Token Expired
Issue: Previously working token stops authenticating.
Solution: Check expiration in Settings > Developer settings > Personal access tokens; regenerate with new expiration date.
Organization Approval Pending
Issue: Fine-grained token shows “Pending” status.
Solution: Contact organization admin to approve token request; check organization’s token policy in Settings > Personal access tokens > Settings.
Token Not Shown After Creation
Issue: Missed copying token, page refreshed.
Solution: Generate a new token; GitHub cannot display existing token values; delete the orphaned token from your list.
Alternative Methods
GitHub CLI Authentication
Run gh auth login and follow interactive prompts.
Time: 2 minutes.
Handles token creation and Git configuration automatically.
SSH Keys
Generate SSH key pair: ssh-keygen -t ed25519 -C "your_email@example.com"
Add public key to GitHub: Settings > SSH and GPG keys > New SSH key.
Time: 5 minutes.
Better for long-term access without token rotation.
Learn more about adding SSH keys to GitHub.
OAuth Apps
For user-facing applications requiring GitHub login, OAuth apps provide delegated authorization without exposing personal tokens.
Suitable for custom applications that need user authentication flows.
Related Processes
- How to push code to GitHub using your token
- How to hide API keys in GitHub repositories
- How to pull from GitHub with authentication
- Understanding Git vs GitHub differences
- How to use Git for version control
FAQ on How To Get A GitHub Token
What is a GitHub personal access token?
A personal access token is an authentication credential replacing your password for Git operations and API requests.
It grants programmatic access to repositories, workflows, and account settings based on configured scopes or permissions.
Where do I find my GitHub token after creation?
GitHub displays your token only once immediately after generation.
If you missed copying it, navigate to Settings > Developer settings > Personal access tokens and generate a new one. The old token cannot be retrieved.
What is the difference between fine-grained and classic tokens?
Fine-grained tokens offer repository-specific permissions with granular access control.
Classic tokens use broader scopes affecting all accessible repositories. Fine-grained tokens provide better security; classic tokens support more use cases including external repositories.
How long does a GitHub token last?
Token expiration depends on your selection during creation: 7, 30, 60, 90 days, or custom dates.
Classic tokens allow “No expiration” but GitHub recommends shorter lifespans for security best practices.
Can I use one token for multiple repositories?
Classic tokens automatically access all repositories you have permission to use.
Fine-grained tokens require selecting specific repositories during creation, or choosing “All repositories” under the resource owner.
What permissions do I need to push code?
For fine-grained tokens, enable Contents: Read and write plus Metadata: Read.
For classic tokens, select the repo scope. These permissions allow committing changes and pushing to remote branches.
Why does my token show “Authentication failed”?
Common causes: expired token, insufficient permissions, typos when copying, or organization blocking classic tokens.
Verify expiration date in Developer settings, regenerate with correct scopes, and check organization access policies.
How do I use a token with Git command line?
Use your token as the password when Git prompts for credentials.
Or include it in the URL: git clone https://TOKEN@github.com/user/repo.git. Store tokens in credential managers for convenience.
Can I regenerate an existing token?
Yes. Navigate to your token in Developer settings and click Regenerate token.
This creates a new token value while keeping the same name, expiration, and permissions. The old value stops working immediately.
How do I revoke a compromised token?
Go to Settings > Developer settings > Personal access tokens.
Find the compromised token and click Delete. The token loses access instantly. Generate a replacement with the same permissions for your DevOps workflows.
Conclusion
Understanding how to get a GitHub token removes authentication barriers from your development workflow.
You now know the exact steps: access Developer settings, choose between fine-grained or classic token types, configure scopes, and store credentials securely.
Fine-grained tokens offer tighter security for organization projects. Classic tokens provide flexibility for open source contributions and cross-repository scripts.
Set expiration dates. Use configuration management tools for credential storage. Rotate tokens regularly.
Token-based access powers everything from simple Git push operations to complex build automation pipelines.
Bookmark this guide for quick reference when generating new tokens or troubleshooting authentication failures.
Your repositories are now accessible through secure, controlled API credentials.
Many of his resources are available on various design marketplaces and for free on Codepen.
Over the years, he's worked with a range of clients and contributed to design publications like Design Your Way, Designmodo, WebDesignerDepot, WPDean, and Speckyboy, and Slider Revolution among others.
