OAuth Applications API
- Check a token
- Reset a token
- Delete an app token
- Delete an app authorization
- Check an authorization
- Reset an authorization
- Revoke an authorization for an application
- Revoke a grant for an application
- Further reading
You can use this API to manage the OAuth tokens an OAuth application uses to access people's GitHub accounts.
Deprecation Notice: GitHub will replace and discontinue OAuth endpoints containing access_token in the path parameter. We are introducing new endpoints that allow you to securely manage tokens for OAuth Apps by using access_token as an input parameter. For more information, see the blog post.
Check a token
Note: New endpoints using OAuth tokens as input parameters instead of path parameters are available for developers to preview in the OAuth Applications API. To access these endpoints during the preview period, you must provide a custom media type in the Accept header:
application/vnd.github.doctor-strange-preview+json
Warning: The API may change without advance notice during the preview period. Preview features are not supported for production use. If you experience any issues, contact your GitHub Enterprise site administrator.
OAuth applications can use a special API method for checking OAuth token validity without exceeding the normal rate limits for failed login attempts. Authentication works differently with this particular endpoint. You must use Basic Authentication to use this endpoint, where the username is the OAuth application client_id and the password is its client_secret. Invalid tokens will return 404 NOT FOUND.
POST /applications/:client_id/token
Parameters
| Name | Type | Description |
|---|---|---|
access_token |
string |
The OAuth access token used to authenticate to the GitHub API. |
Example
{
"access_token": "e72e16c7e42f292c6912e7710c838347ae178b4a"
}
Response
Status: 200 OK
{
"id": 1,
"url": "https://api.github.com/authorizations/1",
"scopes": [
"public_repo"
],
"token": "abcdefgh12345678",
"token_last_eight": "12345678",
"hashed_token": "25f94a2a5c7fbaf499c665bc73d67c1c87e496da8985131633ee0a95819db2e8",
"app": {
"url": "http://my-github-app.com",
"name": "my github app",
"client_id": "abcde12345fghij67890"
},
"note": "optional note",
"note_url": "http://optional/note/url",
"updated_at": "2011-09-06T20:39:23Z",
"created_at": "2011-09-06T17:26:27Z",
"fingerprint": "jklmnop12345678",
"user": {
"login": "octocat",
"id": 1,
"node_id": "MDQ6VXNlcjE=",
"avatar_url": "https://github.com/images/error/octocat_happy.gif",
"gravatar_id": "",
"url": "https://api.github.com/users/octocat",
"html_url": "https://github.com/octocat",
"followers_url": "https://api.github.com/users/octocat/followers",
"following_url": "https://api.github.com/users/octocat/following{/other_user}",
"gists_url": "https://api.github.com/users/octocat/gists{/gist_id}",
"starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/octocat/subscriptions",
"organizations_url": "https://api.github.com/users/octocat/orgs",
"repos_url": "https://api.github.com/users/octocat/repos",
"events_url": "https://api.github.com/users/octocat/events{/privacy}",
"received_events_url": "https://api.github.com/users/octocat/received_events",
"type": "User",
"site_admin": false
}
}
Reset a token
Note: New endpoints using OAuth tokens as input parameters instead of path parameters are available for developers to preview in the OAuth Applications API. To access these endpoints during the preview period, you must provide a custom media type in the Accept header:
application/vnd.github.doctor-strange-preview+json
Warning: The API may change without advance notice during the preview period. Preview features are not supported for production use. If you experience any issues, contact your GitHub Enterprise site administrator.
OAuth applications can use this API method to reset a valid OAuth token without end-user involvement. Applications must save the "token" property in the response because changes take effect immediately. You must use Basic Authentication when accessing this endpoint, using the OAuth application's client_id and client_secret as the username and password. Invalid tokens will return 404 NOT FOUND.
PATCH /applications/:client_id/token
Parameters
| Name | Type | Description |
|---|---|---|
access_token |
string |
The OAuth access token used to authenticate to the GitHub API. |
Example
{
"access_token": "e72e16c7e42f292c6912e7710c838347ae178b4a"
}
Response
Status: 200 OK
{
"id": 1,
"url": "https://api.github.com/authorizations/1",
"scopes": [
"public_repo"
],
"token": "abcdefgh12345678",
"token_last_eight": "12345678",
"hashed_token": "25f94a2a5c7fbaf499c665bc73d67c1c87e496da8985131633ee0a95819db2e8",
"app": {
"url": "http://my-github-app.com",
"name": "my github app",
"client_id": "abcde12345fghij67890"
},
"note": "optional note",
"note_url": "http://optional/note/url",
"updated_at": "2011-09-06T20:39:23Z",
"created_at": "2011-09-06T17:26:27Z",
"fingerprint": "jklmnop12345678",
"user": {
"login": "octocat",
"id": 1,
"node_id": "MDQ6VXNlcjE=",
"avatar_url": "https://github.com/images/error/octocat_happy.gif",
"gravatar_id": "",
"url": "https://api.github.com/users/octocat",
"html_url": "https://github.com/octocat",
"followers_url": "https://api.github.com/users/octocat/followers",
"following_url": "https://api.github.com/users/octocat/following{/other_user}",
"gists_url": "https://api.github.com/users/octocat/gists{/gist_id}",
"starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/octocat/subscriptions",
"organizations_url": "https://api.github.com/users/octocat/orgs",
"repos_url": "https://api.github.com/users/octocat/repos",
"events_url": "https://api.github.com/users/octocat/events{/privacy}",
"received_events_url": "https://api.github.com/users/octocat/received_events",
"type": "User",
"site_admin": false
}
}
Delete an app token
Note: New endpoints using OAuth tokens as input parameters instead of path parameters are available for developers to preview in the OAuth Applications API. To access these endpoints during the preview period, you must provide a custom media type in the Accept header:
application/vnd.github.doctor-strange-preview+json
Warning: The API may change without advance notice during the preview period. Preview features are not supported for production use. If you experience any issues, contact your GitHub Enterprise site administrator.
OAuth application owners can revoke a single token for an OAuth application. You must use Basic Authentication when accessing this endpoint, using the OAuth application's client_id and client_secret as the username and password.
DELETE /applications/:client_id/token
Parameters
| Name | Type | Description |
|---|---|---|
access_token |
string |
The OAuth access token used to authenticate to the GitHub API. |
Example
{
"access_token": "e72e16c7e42f292c6912e7710c838347ae178b4a"
}
Response
Status: 204 No Content
Delete an app authorization
Note: New endpoints using OAuth tokens as input parameters instead of path parameters are available for developers to preview in the OAuth Applications API. To access these endpoints during the preview period, you must provide a custom media type in the Accept header:
application/vnd.github.doctor-strange-preview+json
Warning: The API may change without advance notice during the preview period. Preview features are not supported for production use. If you experience any issues, contact your GitHub Enterprise site administrator.
OAuth application owners can revoke a grant for their OAuth application and a specific user. You must use Basic Authentication when accessing this endpoint, using the OAuth application's client_id and client_secret as the username and password. You must also provide a valid OAuth access_token as an input parameter and the grant for the token's owner will be deleted.
Deleting an OAuth application's grant will also delete all OAuth tokens associated with the application for the user. Once deleted, the application will have no access to the user's account and will no longer be listed on the application authorizations settings screen within GitHub.
DELETE /applications/:client_id/grant
Parameters
| Name | Type | Description |
|---|---|---|
access_token |
string |
The OAuth access token used to authenticate to the GitHub API. |
Example
{
"access_token": "e72e16c7e42f292c6912e7710c838347ae178b4a"
}
Response
Status: 204 No Content
Check an authorization
Deprecation Notice: GitHub will replace and discontinue OAuth endpoints containing access_token in the path parameter. We are introducing new endpoints that allow you to securely manage tokens for OAuth Apps by using access_token as an input parameter. For more information, see the blog post.
OAuth applications can use a special API method for checking OAuth token validity without exceeding the normal rate limits for failed login attempts. Authentication works differently with this particular endpoint. You must use Basic Authentication when accessing this endpoint, using the OAuth application's client_id and client_secret as the username and password. Invalid tokens will return 404 NOT FOUND.
GET /applications/:client_id/tokens/:access_token
Response
Status: 200 OK
{
"id": 1,
"url": "https://api.github.com/authorizations/1",
"scopes": [
"public_repo"
],
"token": "abcdefgh12345678",
"token_last_eight": "12345678",
"hashed_token": "25f94a2a5c7fbaf499c665bc73d67c1c87e496da8985131633ee0a95819db2e8",
"app": {
"url": "http://my-github-app.com",
"name": "my github app",
"client_id": "abcde12345fghij67890"
},
"note": "optional note",
"note_url": "http://optional/note/url",
"updated_at": "2011-09-06T20:39:23Z",
"created_at": "2011-09-06T17:26:27Z",
"fingerprint": "jklmnop12345678",
"user": {
"login": "octocat",
"id": 1,
"node_id": "MDQ6VXNlcjE=",
"avatar_url": "https://github.com/images/error/octocat_happy.gif",
"gravatar_id": "",
"url": "https://api.github.com/users/octocat",
"html_url": "https://github.com/octocat",
"followers_url": "https://api.github.com/users/octocat/followers",
"following_url": "https://api.github.com/users/octocat/following{/other_user}",
"gists_url": "https://api.github.com/users/octocat/gists{/gist_id}",
"starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/octocat/subscriptions",
"organizations_url": "https://api.github.com/users/octocat/orgs",
"repos_url": "https://api.github.com/users/octocat/repos",
"events_url": "https://api.github.com/users/octocat/events{/privacy}",
"received_events_url": "https://api.github.com/users/octocat/received_events",
"type": "User",
"site_admin": false
}
}
Reset an authorization
Deprecation Notice: GitHub will replace and discontinue OAuth endpoints containing access_token in the path parameter. We are introducing new endpoints that allow you to securely manage tokens for OAuth Apps by using access_token as an input parameter. For more information, see the blog post.
OAuth applications can use this API method to reset a valid OAuth token without end-user involvement. Applications must save the "token" property in the response because changes take effect immediately. You must use Basic Authentication when accessing this endpoint, using the OAuth application's client_id and client_secret as the username and password. Invalid tokens will return 404 NOT FOUND.
POST /applications/:client_id/tokens/:access_token
Response
Status: 200 OK
{
"id": 1,
"url": "https://api.github.com/authorizations/1",
"scopes": [
"public_repo"
],
"token": "abcdefgh12345678",
"token_last_eight": "12345678",
"hashed_token": "25f94a2a5c7fbaf499c665bc73d67c1c87e496da8985131633ee0a95819db2e8",
"app": {
"url": "http://my-github-app.com",
"name": "my github app",
"client_id": "abcde12345fghij67890"
},
"note": "optional note",
"note_url": "http://optional/note/url",
"updated_at": "2011-09-06T20:39:23Z",
"created_at": "2011-09-06T17:26:27Z",
"fingerprint": "jklmnop12345678",
"user": {
"login": "octocat",
"id": 1,
"node_id": "MDQ6VXNlcjE=",
"avatar_url": "https://github.com/images/error/octocat_happy.gif",
"gravatar_id": "",
"url": "https://api.github.com/users/octocat",
"html_url": "https://github.com/octocat",
"followers_url": "https://api.github.com/users/octocat/followers",
"following_url": "https://api.github.com/users/octocat/following{/other_user}",
"gists_url": "https://api.github.com/users/octocat/gists{/gist_id}",
"starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/octocat/subscriptions",
"organizations_url": "https://api.github.com/users/octocat/orgs",
"repos_url": "https://api.github.com/users/octocat/repos",
"events_url": "https://api.github.com/users/octocat/events{/privacy}",
"received_events_url": "https://api.github.com/users/octocat/received_events",
"type": "User",
"site_admin": false
}
}
Revoke an authorization for an application
Deprecation Notice: GitHub will replace and discontinue OAuth endpoints containing access_token in the path parameter. We are introducing new endpoints that allow you to securely manage tokens for OAuth Apps by using access_token as an input parameter. For more information, see the blog post.
OAuth application owners can revoke a single token for an OAuth application. You must use Basic Authentication when accessing this endpoint, using the OAuth application's client_id and client_secret as the username and password.
DELETE /applications/:client_id/tokens/:access_token
Response
Status: 204 No Content
Revoke a grant for an application
Deprecation Notice: GitHub will replace and discontinue OAuth endpoints containing access_token in the path parameter. We are introducing new endpoints that allow you to securely manage tokens for OAuth Apps by using access_token as an input parameter. For more information, see the blog post.
OAuth application owners can revoke a grant for their OAuth application and a specific user. You must use Basic Authentication when accessing this endpoint, using the OAuth application's client_id and client_secret as the username and password. You must also provide a valid token as :access_token and the grant for the token's owner will be deleted.
Deleting an OAuth application's grant will also delete all OAuth tokens associated with the application for the user. Once deleted, the application will have no access to the user's account and will no longer be listed on the Applications settings page under "Authorized OAuth Apps" on GitHub.
DELETE /applications/:client_id/grants/:access_token
Response
Status: 204 No Content
Further reading
These links might help you get started with OAuth:
- OAuth 2 spec
- GitHub OAuth App authentication for JavaScript
- GitHub App authentication for JavaScript for GitHub Apps, including an OAuth authentication strategy
- Universal library to retrieve GitHub’s identity URL for the OAuth web flow
- Facebook Login API
- Ruby OAuth2 lib
- Simple Ruby/Sinatra example
- Python Flask example using requests-oauthlib
- Simple Python example using python-oauth2
- Ruby OmniAuth example
- Ruby Sinatra extension
- Ruby Warden strategy