DEV Community

loading...
Cover image for Secure your GitHub Personal Access Tokens with an Expiration Date
GitHub

Secure your GitHub Personal Access Tokens with an Expiration Date

Davide 'CoderDave' Benvegnù
DevOps Architect @ Microsoft 👨‍💻 • YouTuber @ CoderDave 🎥 • Ex MMA fighter 🥊
・2 min read

GitHub has just introduced the ability to set an optional expiration date on personal access tokens (PATs). Users are now able to choose an expiration from a set of preset values, or specify a custom expiration date using a calendar drop-down.

Let's take a look at this new feature!

Video

As usual, if you are a visual learner, or simply prefer to watch and listen instead of reading, here you have the video with the whole explanation and demo, which to be fair is much more complete than this post.

Link to the video: https://youtu.be/f7t7cJp2v00

If you rather prefer reading, well... let's just continue :)

The Problem

Personal Access Tokens, or PATs, provide users with a quick way to create OAuth access tokens which they can use instead of passwords to make API calls or use services.

However, until now PATs didn't offer an expiration option, meaning they exist until they are manually disabled. Long-lived tokens can create large security implications if they leak.

Now this new optional expiration date increases both user's and organization's ability to secure how their data is accessed.

Set the Expiration Date

To set the expiration date to a PAT just go to the PAT creation, under Your Profile > Settings > Developer Setting > Personal Access Tokens, and in here after clicking on the "Generate new token" button you'll have, among the other things, the new "Expiration" drop down.

Dropdown

Here you can select any of the pre-defined options, between 7 and 90 days, or insert a custom expiration date.

Dropdown values

There is still the possibility to have non-expiring tokens, as you can see, but it is highly not recommended since, as I've mentioned before, that could represent a security issue in case the tokens leak.

It is also possible to update existing tokens, adding the expiration date... however, that requires the re-generation of the token key.

Conclusions

Let me know in the comment section below what do you think about this feature. And if you are new to Personal Access Tokens in GitHub, I highly encourage you to checkout this post or this video where I explain everything you need to know about them.

Like, share and follow me 🚀 for more content:

📽 YouTube
Buy me a coffee
💖 Patreon
🌐 CoderDave.io Website
👕 Merch
👦🏻 Facebook page
🐱‍💻 GitHub
👲🏻 Twitter
👴🏻 LinkedIn
🔉 Podcast

Buy Me A Coffee

Discussion (0)