Skip to main content

GitHub OAuth Token

Description

General

  • Documentation: https://docs.github.com/en/rest/overview/other-authentication-methods#via-oauth-and-personal-access-tokens

  • Summary: GitHub OAuth Tokens are used to authenticate API requests on behalf of a user through an OAuth flow. These tokens are issued to third-party applications and grant access to GitHub resources based on the permissions requested during the OAuth authorization process.

  • IPs allowlist: No

  • Scopes: OAuth Tokens have permissions defined by the OAuth App's configuration. These permissions can include access to repositories, user data, organizations, and more. For a full list of available permissions, refer to the GitHub documentation.

Revoke the secret

Tokens can be revoked from the OAuth Apps panel. Navigate to the "Authorized OAuth Apps" section and revoke access for the application.

Check for suspicious activity

There is no way to check the exact last API calls made with a token. However, GitHub provides security logs to review account activity and detect suspicious behavior.

Details for GitHub Oauth Access Token

  • Family: token

  • Category: version_control_platform

  • Company: GitHub

  • High recall: False

  • Validity check available: True

  • Analyzer available: True

  • On-premise instances exist: True

  • Only valid secrets raise an alert: False

  • Minimum number of matches: 1

  • Occurrences found for one million commits: 2.83

  • Prefixed: False

  • PreValidators:

- type: FilenameBanlistPreValidator
  banlist_extensions:
    - ^(cs|x|p|s|r|m)?html5?~?$
    - ^[aps]?cssc?~?$
    - ^csv$
    - ^ebuild$
    - ^storyboard(c|er)?~?$
    - ^xib$
  banlist_filenames: []
  check_binaries: false
  include_default_banlist_extensions: false
  ban_markup: false
- type: ContentWhitelistPreValidator
  patterns:
    - gho_

Examples

- text: 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
  apikey: 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

# Fat-fingered secret
- text: X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
  apikey: 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

Secret Analyzer

Analysis Method

  • Provider allows scopes enumeration: True
  • Total network call count: 1
  • Total call count may vary: False

HTTP Calls

Requests are designed to capture metadata and not to function effectively.

  • GET: /user

Other Calls

Non-HTTP queries or HTTP calls made through a third-party app (e.g., Python package). No other calls for this analyzer.

Last updated on

Something we didn’t cover?

See our Roadmap

Subscribe on GitHub

Submit a request

API status