GitHub OAuth Authentication
Implement the GitHub OAuth 2.0 authorization flow and manage tokens for GitHub OAuth Apps and GitHub Apps.
When to Use
- •Building a "Sign in with GitHub" flow
- •Exchanging authorization codes for access tokens
- •Checking, resetting, or revoking OAuth tokens
- •Managing OAuth app grants and permissions
OAuth Flow
- •Redirect users to
https://github.com/login/oauth/authorizewith yourclient_id,redirect_uri, and requestedscope - •User approves access on GitHub
- •GitHub redirects back with an authorization
code - •Exchange the code for an access token via
POST /login/oauth/access_token - •Use the token in
Authorization: Bearer <token>header for API requests
Key Endpoints
| Endpoint | Method | Purpose |
|---|---|---|
/login/oauth/authorize | GET | Redirect user to authorize |
/login/oauth/access_token | POST | Exchange code for token |
/applications/{client_id}/token | POST | Check token validity |
/applications/{client_id}/token | PATCH | Reset a token |
/applications/{client_id}/token | DELETE | Revoke a token |
/applications/{client_id}/grant | DELETE | Revoke an app grant |
Token Prefixes
- •
gho_— OAuth app tokens - •
ghu_— GitHub App user tokens
Authentication for Token Management
Token management endpoints (check, reset, delete) use HTTP Basic Auth with
client_id as username and client_secret as password. Include the target
access_token in the request body.
Required Headers
All GitHub API requests require:
- •
Accept: application/json(for token exchange) orapplication/vnd.github+json - •
X-GitHub-Api-Version: 2022-11-28
API Reference
For complete schema details including all parameters, scopes, response formats,
and error codes, read references/openapi.yml.