Which GitHub authentication token should I pick?
OAuth for full access (consider for main trusted system)
- Settings > Applications > Authorized OAuth Apps > GitHub CLI
- Revoking this will revoke all systems that ever used
gh auth loginthrough the browser flow - No expiration
Classic PAT
- Settings > Developer Settings > Personal Access Tokens > Tokens (classic)
- Identifiable (e.g. per host)
- Broad scope
- No expiration
- Minimum scope for full
ghfunctionality: repo, read:org, and gist - Minimum scope for
gh auth git-credentialonly: repo (for access to private repos) - Zero compatibility surprises
Fine-grained tokens
- Settings > Developer Settings > Personal Access Tokens > Fine-grained tokens
- Identifiable (e.g. per host)
- Least-privilege
- Owner-scoped (only one resource owner can be selected for a fine-grained PAT)
- Selecting an org requires that the org has enabled fine-grained PATs
- The org may have chosen to require org admin approval for tokens
- Git is unable to choose between owner-scoped PATs due to its host-based routing
- You cannot work on repos from different owners without swapping the configured token
- Can be fiddly with gh (imperfect fit due to gh pre-dating fine-grained tokens)
- However, for
gh auth git-credentialit is a perfect fit- Only needs the Contents permission for that
- Can have an expiration date
- Optional for personal-scoped tokens
- Depends on org policy for org-scoped tokens (default as of this writing is 366 days)