Working with two-factor authentication

When you have two-factor authentication enabled, Basic Authentication for most endpoints in the REST API v3 requires that you use a personal access token or OAuth token instead of your username and password.

You can generate a new personal access token with GitHub developer settings or use the "Create a new authorization" endpoint in the OAuth Authorizations API to generate a new OAuth token. For more information, see "Creating a personal access token for the command line" in the GitHub Help documentation. Then you would use these tokens to authenticate using OAuth token with the GitHub API. The only time you need to authenticate with your username and password is when you create your OAuth token or use the OAuth Authorizations API.

Using the OAuth Authorizations API with two-factor authentication

When you make calls to the OAuth Authorizations API, Basic Authentication requires that you use a one-time password (OTP) and your username and password instead of tokens. When you attempt to authenticate with the OAuth Authorizations API, the server will respond with a 401 Unauthorized and one of these headers to let you know that you need a two-factor authentication code:

X-GitHub-OTP: required; SMS or X-GitHub-OTP: required; app.

This header tells you how your account receives its two-factor authentication codes. Depending how you set up your account, you will either receive your OTP codes via SMS or you will use an application like Google Authenticator or 1Password. For more information, see "Configuring two-factor authentication." Pass the OTP in the header:

curl --request POST \
  --url https://api.github.com/authorizations \
  --header 'authorization: Basic PASSWORD' \
  --header 'content-type: application/json' \
  --header 'x-github-otp: OTP' \
  --data '{"scopes": ["public_repo"], "note": "test"}'