Summary

Personal Access Tokens, or PATs, provide users a quick way to create tokens they can use to make API calls. The tokens allow users to specify scopes to determine what the token can access. This is a typical way of getting API keys in other SaaS products. However, PATs only have broad scopes (e.g. all repos or orgs), which grant access to anything the user can access (i.e. specific repos or orgs cannot be specified).

This improvement will introduce a new version of PATs which provide users with the ability to scope access to specific repos and orgs, set fine-grained permissions across specific features, and set expiration dates for each token. It also provides organization administrators the ability to review and approve PATs created with access to their orgs, and block the use of the previous version of PATs.

Intended Outcome

Allow users to create PATs with improved security and access controls, and organizations to ensure security best practices.

How will it work?

Once introduced, GitHub will provide UI and tools for creating and managing new PATS. This new version of PATs will support the following:

• Scoping access to specific repos and orgs
• Fine-grained permissions across specific features
• Expiration dates for each token
• Organization approval flows