Skip to main content

GitHub App Token

Description

General

  • Documentation: https://docs.github.com/en/rest/overview/permissions-required-for-github-apps

  • Summary: GitHub App Tokens are used to authenticate API requests on behalf of a GitHub App. These tokens can be either User-to-Server Tokens (granting access on behalf of a user) or Server-to-Server Tokens (granting access on behalf of an app installation).

  • IPs allowlist: No

  • Scopes: GitHub App Tokens have permissions defined by the GitHub App's configuration. These permissions can include access to repositories, organizations, workflows, and more. For a full list of available permissions, refer to the GitHub documentation.

Revoke the secret

Tokens can be revoked by uninstalling the GitHub App or regenerating the app's credentials. Navigate to the GitHub App settings to manage app installations and tokens.

Check for suspicious activity

There is no way to check the exact last API calls made with a token. However, GitHub provides security logs to review account activity and detect suspicious behavior.

Details for Github user to server token v2

  • Family: token

  • Category: version_control_platform

  • Company: GitHub

  • High recall: False

  • Validity check available: True

  • Analyzer available: False

  • On-premise instances exist: True

  • Only valid secrets raise an alert: False

  • Minimum number of matches: 1

  • Occurrences found for one million commits: 2.08

  • Prefixed: False

  • PreValidators:

- type: FilenameBanlistPreValidator
  banlist_extensions:
    - ^(cs|x|p|s|r|m)?html5?~?$
    - ^[aps]?cssc?~?$
    - ^csv$
    - ^ebuild$
    - ^storyboard(c|er)?~?$
    - ^xib$
  banlist_filenames: []
  check_binaries: false
  include_default_banlist_extensions: false
  ban_markup: false
- type: ContentWhitelistPreValidator
  patterns:
    - ghu_

Examples

- text: ghu_uTzsHn7ntsbrT3RUE7dsGx3Qq4689V2Jzoq0
  apikey: ghu_uTzsHn7ntsbrT3RUE7dsGx3Qq4689V2Jzoq0

# Fat-fingered secret
- text: Xghu_uTzsHn7ntsbrT3RUE7dsGx3Qq4689V2Jzoq0
  apikey: ghu_uTzsHn7ntsbrT3RUE7dsGx3Qq4689V2Jzoq0

Details for Github server to server token v2

  • Family: token

  • Category: version_control_platform

  • Company: GitHub

  • High recall: False

  • Validity check available: True

  • Analyzer available: False

  • On-premise instances exist: True

  • Only valid secrets raise an alert: False

  • Minimum number of matches: 1

  • Occurrences found for one million commits: 0.92

  • Prefixed: False

  • PreValidators:

- type: FilenameBanlistPreValidator
  banlist_extensions:
    - ^(cs|x|p|s|r|m)?html5?~?$
    - ^[aps]?cssc?~?$
    - ^csv$
    - ^ebuild$
    - ^storyboard(c|er)?~?$
    - ^xib$
  banlist_filenames: []
  check_binaries: false
  include_default_banlist_extensions: false
  ban_markup: false
- type: ContentWhitelistPreValidator
  patterns:
    - ghs_

Examples

- text: ghs_uTzsHn7ntsbrT3RUE7dsGx3Qq4689V2Jzoq0
  apikey: ghs_uTzsHn7ntsbrT3RUE7dsGx3Qq4689V2Jzoq0

# Fat-fingered secret
- text: gghs_uTzsHn7ntsbrT3RUE7dsGx3Qq4689V2Jzoq0
  apikey: ghs_uTzsHn7ntsbrT3RUE7dsGx3Qq4689V2Jzoq0
Last updated on

Something we didn’t cover?

See our Roadmap

Subscribe on GitHub

Submit a request

API status