github-classic-vs-fine-grained-personal-access-tokens.html

<!DOCTYPE html><html lang="de-ch"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width,initial-scale=1"><title>GitHub classic vs. fine-grained Personal Access Tokens - Finecloud</title><meta name="description" content="What are PATs? Personal access tokens are an alternative to using passwords for authentication to GitHub when using the GitHub API or the command line. Personal access tokens are intended to access GitHub resources on your behalf. To access resources on behalf of an organization,&hellip;"><meta name="generator" content="Publii Open-Source CMS for Static Site"><link rel="stylesheet" href="https://www.finecloud.ch/media/plugins/syntaxHighlighter/prism-black.css"><link rel="canonical" href="https://www.finecloud.ch/github-classic-vs-fine-grained-personal-access-tokens.html"><link rel="alternate" type="application/atom+xml" href="https://www.finecloud.ch/feed.xml"><link rel="alternate" type="application/json" href="https://www.finecloud.ch/feed.json"><meta property="og:title" content="GitHub classic vs. fine-grained Personal Access Tokens"><meta property="og:site_name" content="Finecloud"><meta property="og:description" content="What are PATs? Personal access tokens are an alternative to using passwords for authentication to GitHub when using the GitHub API or the command line. Personal access tokens are intended to access GitHub resources on your behalf. To access resources on behalf of an organization,&hellip;"><meta property="og:url" content="https://www.finecloud.ch/github-classic-vs-fine-grained-personal-access-tokens.html"><meta property="og:type" content="article"><link rel="shortcut icon" href="https://www.finecloud.ch/media/website/finecloud.png" type="image/png"><link rel="stylesheet" href="https://www.finecloud.ch/assets/css/style.css?v=39da73365516a098a9b73b721fc970e2"><script type="application/ld+json">{"@context":"http://schema.org","@type":"Article","mainEntityOfPage":{"@type":"WebPage","@id":"https://www.finecloud.ch/github-classic-vs-fine-grained-personal-access-tokens.html"},"headline":"GitHub classic vs. fine-grained Personal Access Tokens","datePublished":"2024-07-31T17:32","dateModified":"2024-08-05T20:11","description":"What are PATs? Personal access tokens are an alternative to using passwords for authentication to GitHub when using the GitHub API or the command line. Personal access tokens are intended to access GitHub resources on your behalf. To access resources on behalf of an organization,&hellip;","author":{"@type":"Person","name":"Finecloud","url":"https://www.finecloud.ch/authors/finecloud/"},"publisher":{"@type":"Organization","name":"Finecloud"}}</script><meta name="google-site-verification" content="seFY9U12uiEq5U3_MyZiX6XWzk0AVFl9zITr2ZKsytY"></head><body><div class="site-container"><header class="top" id="js-header"><a class="logo" href="https://www.finecloud.ch/">Finecloud</a><nav class="navbar js-navbar"><button class="navbar__toggle js-toggle" aria-label="Menu" aria-haspopup="true" aria-expanded="false"><span class="navbar__toggle-box"><span class="navbar__toggle-inner">Menu</span></span></button><ul class="navbar__menu"><li><a href="https://www.finecloud.ch/" target="_self">Blog</a></li><li><a href="https://www.finecloud.ch/tags/" target="_self">Tags</a></li></ul></nav><div class="search"><div class="search__overlay js-search-overlay"><div class="search__overlay-inner"><form action="https://www.finecloud.ch/search.html" class="search__form"><input class="search__input js-search-input" type="search" name="q" placeholder="search..." aria-label="search..." autofocus="autofocus"></form><button class="search__close js-search-close" aria-label="Close">Close</button></div></div><button class="search__btn js-search-btn" aria-label="Search"><svg role="presentation" focusable="false"><use xlink:href="https://www.finecloud.ch/assets/svg/svg-map.svg#search"/></svg></button></div></header><main><article class="post"><div class="hero"><figure class="hero__image hero__image--overlay"><img src="https://www.finecloud.ch/media/website/download.jpg" srcset="https://www.finecloud.ch/media/website/responsive/download-xs.jpg 300w, https://www.finecloud.ch/media/website/responsive/download-sm.jpg 480w, https://www.finecloud.ch/media/website/responsive/download-md.jpg 768w, https://www.finecloud.ch/media/website/responsive/download-lg.jpg 1024w, https://www.finecloud.ch/media/website/responsive/download-xl.jpg 1360w, https://www.finecloud.ch/media/website/responsive/download-2xl.jpg 1600w" sizes="100vw" loading="eager" alt=""></figure><header class="hero__content"><div class="wrapper"><div class="post__meta"><time datetime="2024-07-31T17:32">Juli 31, 2024</time></div><h1>GitHub classic vs. fine-grained Personal Access Tokens</h1></div></header></div><div class="wrapper post__entry"><div class="post__toc"><h3>Contents</h3><ul><li><a href="#what-are-pats">What are PATs?</a></li><li><a href="#what-are-classic-pats">What are classic PATs?</a></li><li><a href="#what-are-fine-grained-pats">What are fine-grained PATs?</a></li><li><a href="#what-happens-when-the-user-who-generated-them-becomes-inactive-and-loses-access-to-the-resource">What happens when the user who generated them becomes inactive and loses access to the resource?</a></li><li><a href="#what-are-the-risks-to-consider-with-pats">What are the risks to consider with PATs?</a></li><li><a href="#can-a-classic-pat-owned-by-a-regular-gh-user-be-used-to-access-and-manipulate-a-gh-internal-repo-from-externally-without-any-other-auth-requirement">Can a classic PAT (owned by a regular GH user) be used to access and manipulate a GH internal Repo from externally without any other auth requirement?</a></li><li><a href="#can-a-fine-grained-pat-owned-by-a-regular-gh-user-be-used-to-access-and-manipulate-a-gh-internal-repo-from-externally-without-any-other-auth-requirement">Can a fine-grained PAT (owned by a regular GH User) be used to access and manipulate a GH internal Repo from externally without any other auth requirement?</a></li><li><a href="#can-a-fine-grained-pat-owned-by-the-org-be-used-to-access-and-manipulate-a-gh-internal-repo-externally-without-any-other-auth-requirement">Can a fine-grained PAT (owned by the Org) be used to access and manipulate a GH internal Repo externally without any other auth requirement?</a></li><li><a href="#how-can-org-admins-restrict-classic-pats-access-to-the-org">How can Org. Admins restrict classic PATs access to the Org?</a></li><li><a href="#how-can-you-manage-classic-pats-of-the-users-as-an-org-adminlessbrgreater">How can you manage classic PATs of the Users as an Org Admin?<br></a></li><li><a href="#how-can-i-restrict-org-access-of-fine-grained-pats-as-an-org-admin">How can I restrict Org access of fine-grained PATs as an Org Admin?</a></li><li><a href="#how-can-i-manage-fine-grained-pats-of-the-users-as-an-org-admin">How can I manage fine-grained PATs of the Users as an Org Admin?</a></li><li><a href="#overview-of-classic-vs-fine-grained-pats">Overview of Classic vs. Fine-grained PATs</a></li></ul></div><h2 id="what-are-pats">What are PATs?</h2><p>Personal access tokens are an alternative to using passwords for authentication to GitHub when using the <a href="https://docs.github.com/en/rest/overview/authenticating-to-the-rest-api" target="_blank">GitHub API</a> or the <a href="https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#using-a-personal-access-token-on-the-command-line" target="_blank">command line</a>.<br><br>Personal access tokens are intended to access GitHub resources on your behalf. <strong>To access resources on behalf of an organization, or for long-lived integrations, you should use a GitHub App. For more information, see "<a href="https://docs.github.com/en/apps/creating-github-apps/setting-up-a-github-app/about-creating-github-apps" target="_blank">About creating GitHub Apps</a>"</strong><br><br><strong>GitHub recommends that you use fine-grained personal access tokens instead of personal access tokens (classic) whenever possible. (<a href="https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#types-of-personal-access-tokens" target="_blank">source</a>)</strong></p><h2 id="what-are-classic-pats">What are classic PATs?</h2><p>Personal access tokens (classic) are less secure. <strong>However, some features currently will only work with personal access tokens (classic):</strong></p><ul><li><span style="color: var(--text-primary-color); font-family: var(--editor-font-family); font-size: 1em; font-weight: var(--font-weight-normal);">Only personal access tokens (classic) have write access for public repositories that are not owned by you or an organization that you are not a member of.</span><br></li><li>Outside collaborators can only use personal access tokens (classic) to access organization repositories that they are a collaborator on.</li><li>A few REST API endpoints are only available with a personal access tokens (classic). To check whether an endpoint also supports fine-grained personal access tokens, see the documentation for that endpoint, or see "<a href="https://docs.github.com/en/rest/overview/endpoints-available-for-fine-grained-personal-access-tokens" target="_blank">Endpoints available for fine-grained personal access tokens</a>".</li></ul><p>If you choose to use a personal access token (classic), keep in mind that it will grant access to all repositories within the organizations that you have access to, as well as all personal repositories in your personal account.<br><br>As a security precaution, GitHub automatically removes personal access tokens that haven't been used in a year. To provide additional security, we highly recommend adding an expiration to your personal access tokens.</p><h2 id="what-are-fine-grained-pats">What are fine-grained PATs?</h2><p>Fine-grained personal access tokens have several security advantages over personal access tokens (classic):</p><ul><li>Each token can only access resources owned by a single user or organization.</li><li>Each token can only access specific repositories.</li><li>Each token is granted specific permissions, which offer more control than the scopes granted to personal access tokens (classic).</li><li>Each token must have an expiration date.</li><li>Organization owners can require approval for any fine-grained personal access tokens that can access resources in the organization.</li></ul><h2 id="what-happens-when-the-user-who-generated-them-becomes-inactive-and-loses-access-to-the-resource">What happens when the user who generated them becomes inactive and loses access to the resource?</h2><p>Both fine-grained personal access tokens and personal access tokens (classic) are tied to the user who generated them and will become inactive if the user loses access to the resource.</p><h2 id="what-are-the-risks-to-consider-with-pats">What are the risks to consider with PATs?</h2><ul><li>PATs could be leaked if they get into the wrong hands and are used externally</li><li>Org. Admins don't see users classic PATs with Org. access</li></ul><h2 id="can-a-classic-pat-owned-by-a-regular-gh-user-be-used-to-access-and-manipulate-a-gh-internal-repo-from-externally-without-any-other-auth-requirement">Can a classic PAT (owned by a regular GH user) be used to access and manipulate a GH internal Repo from externally without any other auth requirement?</h2><p>Yes. You need to create a classic PAT, select all permissions and then try to access an internal GitHub Test Repo from an external Computer without any VPN/internal access or SSO auth session. You will be able to pull all the Repo content and write everywhere where the owner of the PAT has access, e.g., create Issues, close PRs, etc.</p><h2 id="can-a-fine-grained-pat-owned-by-a-regular-gh-user-be-used-to-access-and-manipulate-a-gh-internal-repo-from-externally-without-any-other-auth-requirement">Can a fine-grained PAT (owned by a regular GH User) be used to access and manipulate a GH internal Repo from externally without any other auth requirement?</h2><p>Per default, user-owned fine-grained PATs have only read access to public github.com repos. To select access to an internal GH Repo, the Organization must own the PAT, which is only possible if the token request gets approved by an Org. Admin.</p><h2 id="can-a-fine-grained-pat-owned-by-the-org-be-used-to-access-and-manipulate-a-gh-internal-repo-externally-without-any-other-auth-requirement">Can a fine-grained PAT (owned by the Org) be used to access and manipulate a GH internal Repo externally without any other auth requirement?</h2><p>Once the requested PAT got approved by an Org Admin, yes, this is possible. But the token has a maximum lifetime of 1 year. If the user of the PAT changes something on the permissions, the review workflow is again triggered, and an Org Admin must approve the permission change before it is applied.</p><h2 id="how-can-org-admins-restrict-classic-pats-access-to-the-org">How can Org. Admins restrict classic PATs access to the Org?</h2><p>Organization owners/admins can prevent personal access tokens (classic) from accessing resources owned by the organization. Personal access tokens (classic) can still read public resources within the organization.</p><figure class="post__image post__image--center"><img loading="lazy" src="https://www.finecloud.ch/media/posts/104/gh-token.png" height="258" width="934" alt="" sizes="100vw" srcset="https://www.finecloud.ch/media/posts/104/responsive/gh-token-xs.png 300w, https://www.finecloud.ch/media/posts/104/responsive/gh-token-sm.png 480w, https://www.finecloud.ch/media/posts/104/responsive/gh-token-md.png 768w, https://www.finecloud.ch/media/posts/104/responsive/gh-token-lg.png 1024w, https://www.finecloud.ch/media/posts/104/responsive/gh-token-xl.png 1360w, https://www.finecloud.ch/media/posts/104/responsive/gh-token-2xl.png 1600w"></figure><p>https://github.com/organizations/&lt;your-gh-org-name&gt;/settings/personal-access-tokens</p><h2 id="how-can-you-manage-classic-pats-of-the-users-as-an-org-adminlessbrgreater">How can you manage classic PATs of the Users as an Org Admin?<br></h2><p>You can't, because you don't see them. Only the User who created the classic PAT can see and manage it.</p><h2 id="how-can-i-restrict-org-access-of-fine-grained-pats-as-an-org-admin">How can I restrict Org access of fine-grained PATs as an Org Admin?</h2><figure class="post__image post__image--center"><img loading="lazy" src="https://www.finecloud.ch/media/posts/104/gh-token-2.png" height="264" width="928" alt="" sizes="100vw" srcset="https://www.finecloud.ch/media/posts/104/responsive/gh-token-2-xs.png 300w, https://www.finecloud.ch/media/posts/104/responsive/gh-token-2-sm.png 480w, https://www.finecloud.ch/media/posts/104/responsive/gh-token-2-md.png 768w, https://www.finecloud.ch/media/posts/104/responsive/gh-token-2-lg.png 1024w, https://www.finecloud.ch/media/posts/104/responsive/gh-token-2-xl.png 1360w, https://www.finecloud.ch/media/posts/104/responsive/gh-token-2-2xl.png 1600w"></figure><p>https://github.com/organizations/&lt;your-gh-org-name&gt;<your-gh-org-name>/settings/personal-access-tokens</your-gh-org-name><br></p><h2 id="how-can-i-manage-fine-grained-pats-of-the-users-as-an-org-admin">How can I manage fine-grained PATs of the Users as an Org Admin?</h2><p>You can't manage/see the fine-grained PATs the User Account owns. Once the Org owns the PAT, you can see and manage them.<br><br>If the owner is set to the User, the PAT is invisible/unable to manage, but this also means that token only has access to public repos:</p><figure class="post__image post__image--center"><img loading="lazy" src="https://www.finecloud.ch/media/posts/104/SCR-20240805-qyyf.png" height="429" width="996" alt="" sizes="100vw" srcset="https://www.finecloud.ch/media/posts/104/responsive/SCR-20240805-qyyf-xs.png 300w, https://www.finecloud.ch/media/posts/104/responsive/SCR-20240805-qyyf-sm.png 480w, https://www.finecloud.ch/media/posts/104/responsive/SCR-20240805-qyyf-md.png 768w, https://www.finecloud.ch/media/posts/104/responsive/SCR-20240805-qyyf-lg.png 1024w, https://www.finecloud.ch/media/posts/104/responsive/SCR-20240805-qyyf-xl.png 1360w, https://www.finecloud.ch/media/posts/104/responsive/SCR-20240805-qyyf-2xl.png 1600w"></figure><p>If you select the Organization as the Resource owner of the PAT instead, a fine-grained personal access token request will be made, which needs to be approved by an Org. Admin before it can be used.</p><p>An overview of all Org. owned PATs can be found under this URL; if you are an Org. Admin:&nbsp;https://github.com/organizations/&lt;your-gh-org-name&gt;/settings/personal-access-tokens/active</p><h2 id="overview-of-classic-vs-fine-grained-pats">Overview of Classic vs. Fine-grained PATs</h2><div><style type="text/css">.tg  {border-collapse:collapse;border-spacing:0;}
.tg td{border-style:solid;border-width:1px;font-family:Arial, sans-serif;font-size:14px;
  overflow:hidden;padding:10px 5px;word-break:normal;}
.tg th{border-style:solid;border-width:1px;font-family:Arial, sans-serif;font-size:14px;
  font-weight:normal;overflow:hidden;padding:10px 5px;word-break:normal;}
.tg .tg-wp8o{text-align:center;vertical-align:top}
.tg .tg-73oq{text-align:left;vertical-align:top}</style><table class="tg"><thead><tr><th class="tg-73oq"></th><th class="tg-wp8o">Classic PAT</th><th class="tg-wp8o">Fine-grained PAT</th></tr></thead><tbody><tr><td class="tg-73oq">write access for public repositories that are not owned by you or an organization that you are not a member of</td><td class="tg-wp8o">✅</td><td class="tg-wp8o">❌</td></tr><tr><td class="tg-73oq">Outside collaborators can access organization repositories that they are a collaborator on.</td><td class="tg-wp8o">✅</td><td class="tg-wp8o">❌</td></tr><tr><td class="tg-73oq">Can be used with all REST API endpoints</td><td class="tg-wp8o">✅</td><td class="tg-wp8o">❌</td></tr><tr><td class="tg-73oq">Feature release status</td><td class="tg-wp8o">stable</td><td class="tg-wp8o">beta<br></td></tr><tr><td class="tg-73oq">Tokens must have an expiration date</td><td class="tg-wp8o">❌</td><td class="tg-wp8o">✅</td></tr><tr><td class="tg-73oq">Token can inherit all permissions of the User, incl. all repositories<br>within the organizations that the user has access to without any<br>approval/reivew</td><td class="tg-wp8o">✅</td><td class="tg-wp8o">❌</td></tr><tr><td class="tg-73oq">Token permissions can be defined set on repository level (fine-grained)</td><td class="tg-wp8o">❌</td><td class="tg-wp8o">✅</td></tr><tr><td class="tg-73oq">Organization owners can prevent token from accessing resources owned by the organization</td><td class="tg-wp8o">✅</td><td class="tg-wp8o">✅</td></tr><tr><td class="tg-73oq">Organization owners can require approval for each token that can access<br>the organization (e.g. internal Repo) from externally without any other<br>auth requirement</td><td class="tg-wp8o">❌</td><td class="tg-wp8o">✅</td></tr></tbody></table></div></div><footer class="wrapper post__footer"><p class="post__last-updated">This article was updated on August 5, 2024</p><ul class="post__tag"><li><a href="https://www.finecloud.ch/tags/devops/">devops</a></li><li><a href="https://www.finecloud.ch/tags/github/">github</a></li><li><a href="https://www.finecloud.ch/tags/security/">security</a></li></ul><div class="post__share"></div></footer></article><nav class="post__nav"><div class="post__nav-inner"><div class="post__nav-prev"><svg width="1.041em" height="0.416em" aria-hidden="true"><use xlink:href="https://www.finecloud.ch/assets/svg/svg-map.svg#arrow-prev"/></svg> <a href="https://www.finecloud.ch/third-party-github-actions.html" class="post__nav-link" rel="prev"><span>Previous</span> Third-party GitHub Actions</a></div><div class="post__nav-next"><a href="https://www.finecloud.ch/automatically-update-hidden-dependencies-in-your-dockerfiles.html" class="post__nav-link" rel="next"><span>Next</span> Automatically update the hidden dependencies in your Dockerfiles </a><svg width="1.041em" height="0.416em" aria-hidden="true"><use xlink:href="https://www.finecloud.ch/assets/svg/svg-map.svg#arrow-next"/></svg></div></div></nav><div class="post__related related"><div class="wrapper"><h2 class="h5 related__title">You should also read:</h2><article class="related__item"><div class="feed__meta"><time datetime="2024-04-08T20:50" class="feed__date">April 8, 2024</time></div><h3 class="h1"><a href="https://www.finecloud.ch/third-party-github-actions.html">Third-party GitHub Actions</a></h3></article><article class="related__item"><div class="feed__meta"><time datetime="2024-04-05T21:02" class="feed__date">April 5, 2024</time></div><h3 class="h1"><a href="https://www.finecloud.ch/github-codespace.html">GitHub Codespace</a></h3></article><article class="related__item"><div class="feed__meta"><time datetime="2022-07-10T06:30" class="feed__date">Juli 10, 2022</time></div><h3 class="h1"><a href="https://www.finecloud.ch/java-access-modifier.html">Java Access-Modifier</a></h3></article></div></div></main><footer class="footer"><div class="footer__copyright"><p>Powered by Publii</p></div><button onclick="backToTopFunction()" id="backToTop" class="footer__bttop" aria-label="Back to top" title="Back to top"><svg><use xlink:href="https://www.finecloud.ch/assets/svg/svg-map.svg#toparrow"/></svg></button></footer></div><script>window.publiiThemeMenuConfig = {    
        mobileMenuMode: 'sidebar',
        animationSpeed: 300,
        submenuWidth: 'auto',
        doubleClickTime: 500,
        mobileMenuExpandableSubmenus: true, 
        relatedContainerForOverlayMenuSelector: '.top',
   };</script><script defer="defer" src="https://www.finecloud.ch/assets/js/scripts.min.js?v=6ca8b60e6534a3888de1205e82df8528"></script><script>var images = document.querySelectorAll('img[loading]');

        for (var i = 0; i < images.length; i++) {
            if (images[i].complete) {
                images[i].classList.add('is-loaded');
            } else {
                images[i].addEventListener('load', function () {
                    this.classList.add('is-loaded');
                }, false);
            }
        }</script><script defer="defer" src="https://www.finecloud.ch/media/plugins/syntaxHighlighter/prism.js"></script></body></html>