what is the expiry time of github oauth access token. And also how do I renew it. I don't see any refresh token in their documentation. Please guide me. Thanks in advance.
Tokens are valid for 30 days from creation or last use, so that the 30 day expiration automatically refreshes with each API call. Tokens that aren't used for 30 days expire. The 30-day period is currently fixed and can't be changed for your organization.
By default, access tokens are valid for 60 days and programmatic refresh tokens are valid for a year.
Developers strongly prefer access tokens that don't expire, since it's much less code to deal with. In order to help mitigate these concerns, services will often build the token refreshing logic into their SDK, so that the process is transparent to developers.
Obtaining your GitHub personal access tokenSign in to your GitHub account. Change the settings for your GitHub profile by clicking your profile image in the upper right, and then click Settings. At the bottom of the left menu, in the Developer settings section, click the Personal access tokens link.
2014: As commented in this "GitHub OAuth Busy Developer's Guide"
Tokens don't have to expire.
They only send back the access token and an expiration (field "expires_in
", seen as far back as 2013) if theoffline_access
scope is not requested (as it is the case for a refresh token).
Right now, GitHub just assumes all apps want offline access.
You can check an OAuth application authorization, delete it or revoke it.
But the token itself doesn't seem to be bound to an expiry date.
badsyntax adds in the comments:
I also found this useful:
"An OAuth token does not expire until the person who authorized the OAuth App revokes the token."
From "Migrating OAuth Apps to GitHub Apps".
Stokito points out in the comments to rfc6749 / 4.2.2 Access Token Response:
expires_in
RECOMMENDED.
The lifetime in seconds of the access token.
For example, the value "3600" denotes that the access token will expire in one hour from the time the response was generated.
If omitted, the authorization server SHOULD provide the expiration time via other means or document the default value.
Update 2021:
You can now set an expiration date on your new and existing personal access tokens.
Setting an expiration date on personal access tokens is highly recommended as this helps keep your information secure.
GitHub will email you when it's time to renew a token that's about to expire. Tokens that have expired can be regenerated, giving you a duplicate token with the same properties as the original.When using a personal access token with the GitHub API, you'll see a new response header,
GitHub-Authentication-Token-Expiration
, indicating the token's expiration date.
You can use this in scripts, for example, to log a warning message as the expiration date approaches.Learn more about personal access tokens and how to use them.
GitHub recently introduced the ability to set an expiration date when creating or regenerating a personal access token (PAT).
For a PAT that is authorized to access an organization protected by SAML single sign-on (SSO), the expiration date of that PAT is now available via theGET /orgs/{org}/credential-authorizations
API.Organization administrators can use the following
gh
command to see the expiration dates of all PATs that are authorized to access their org by authenticating with a PAT that has theread:org
scope:gh api --paginate /orgs/:org/credential-authorizations --jq='.[] | [.authorized_credential_expires_at]'
Learn more about authorizing a personal access token for use with SAML single sign-on.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With