Deprecating API authentication through query parameters

February 10, 2020
jovel
jpemberthy
ptoomey3

As mentioned in this previous blog post, GitHub has deprecated authentication through query parameters.

Deprecation timeline

Brownouts

During a brownout, authentication using query parameters will temporarily fail to alert users who haven't migrated their authentication calls.

The brownouts are scheduled for:

September 30, 2020
- From 7:00 AM UTC - 10:00 AM UTC
- From 4:00 PM UTC - 7:00 PM UTC
October 28, 2020
- From 7:00 AM UTC - 10:00 AM UTC
- From 4:00 PM UTC - 7:00 PM UTC

Removal date

All authentication using query parameters will return a status code of 401 like all other auth failures starting on:

November 13, 2020 at 4:00 PM UTC

Changes to make

Starting on November 13th, using access_token as a query parameter to access the API (as a user or as a GitHub App) or using client_id/client_secret to make OAuth app unauthenticated calls will be disabled. For examples, see below.

Common uses of access_token as a query param include:

Direct calls to the GitHub API using personal access tokens
GitHub Apps that make user-to-server calls on behalf of the user or with Apps using installation tokens to manage repositories.

Using access_token as a query param

If you're currently making an API call similar to

curl "https://api.github.com/user/repos?access_token=my_access_token"

Instead, you should send the token in the header:

curl -H 'Authorization: token my_access_token' https://api.github.com/user/repos

For details on how to generate a token, see "Creating a personal access token."

For details on how to set the token, see these guidelines.

Using client_id/client_secret as a query param

If you're using an OAuth app's client_id and client_secret to make unauthenticated calls with a higher rate limit similar to

curl "https://api.github.com/user/repos?client_id=my_client_id&client_secret=my_secret_id"

Instead, you should use the following format:

curl -u my_client_id:my_client_secret https://api.github.com/user/repos

Endpoints affected

All requests to endpoints that use the above style of authentication are affected.

If you have any questions or feedback, please let us know!