How to Set Up a GitHub Personal Access Token (PAT): A Complete Guide
Learn how to create, configure, and securely use GitHub Personal Access Tokens for API access and automation.
Introduction
GitHub Personal Access Tokens (PATs) are essential for developers who need to access GitHub’s API, automate workflows, or grant applications secure access to their repositories. Whether you’re building CI/CD pipelines, managing repositories programmatically, or integrating with third-party tools, PATs provide a secure way to authenticate without using your password.
In this comprehensive guide, we’ll walk through the entire process of creating a GitHub PAT with the correct permissions, from navigating GitHub’s settings to securely storing and using your token.
What is a GitHub Personal Access Token?
A Personal Access Token is an alternative to using passwords for authentication to GitHub when using the API or the command line. Think of it as a password that:
- Can be scoped to specific permissions (read-only, write, admin)
- Can be revoked at any time without changing your main password
- Can be given expiration dates for enhanced security
- Works with 2FA (unlike passwords)
Step 1: Navigate to Developer Settings
First, you need to access GitHub’s developer settings where PATs are managed.
Instructions:
- Log into your GitHub account at github.com
- Click your profile picture in the top-right corner
- Select “Settings” from the dropdown menu
- Scroll down to the bottom of the left sidebar
- Click on “Developer settings”
![GitHub Settings Navigation]
Step 2: Choose Your Token Type
GitHub offers two types of Personal Access Tokens:
Option A: Fine-Grained Personal Access Tokens (Recommended)
- Best for: New projects, specific repository access
- Pros: Granular permissions, repository-specific, more secure
- Cons: Slightly more complex to set up
Option B: Tokens (Classic)
- Best for: Legacy integrations, broad access needs
- Pros: Simple, works with older tools
- Cons: Broader permissions, less granular control
Our Recommendation:
For most modern use cases, we recommend Fine-Grained Tokens. They follow the principle of least privilege—only granting the permissions you actually need.
Step 3: Create a Fine-Grained Token
Let’s create a fine-grained token with repository access:
Instructions:
- In Developer Settings, click “Personal access tokens”
- Select “Fine-grained tokens”
- Click the “Generate new token” button
- You may need to re-authenticate with your password
Token Configuration:
Token Name:
- Enter a descriptive name like:
MyApp Production AccessCI/CD Pipeline TokenDeveloper Environment Access
Expiration:
- Choose an expiration period:
- 7 days — For testing/development
- 30 days — Short-term projects
- 60 days — Medium-term access
- Custom — Set your own date
- No expiration — Not recommended for production
Description (Optional):
- Add notes about what this token is for
- Example: “Token for deploying augmi.world from Railway”
Step 4: Configure Repository Access
Choose which repositories this token can access:
Option 1: All Repositories
- Select “All repositories”
- The token will work with every repo you own or have access to
- Use case: CI/CD systems that deploy multiple projects
Option 2: Select Repositories
- Select “Only select repositories”
- Choose specific repositories from the dropdown
- Use case: Third-party integrations for a single project
- More secure: Limits blast radius if token is compromised
Step 5: Set Repository Permissions
This is the most critical step. Only grant permissions you actually need:
Essential Permissions for Common Use Cases:
For Read-Only Access (Cloning, Reading):
Repository permissions:
- Contents: Read-only
- Metadata: Read-only (automatically included)
For Development (Pushing Code, Managing Issues):
Repository permissions:
- Contents: Read and write
- Issues: Read and write
- Pull requests: Read and write
- Metadata: Read-only
For Full Repository Management:
Repository permissions:
- Administration: Read and write
- Contents: Read and write
- Issues: Read and write
- Pull requests: Read and write
- Actions: Read and write (for workflows)
- Secrets: Read and write (for managing repo secrets)
- Metadata: Read-only
For CI/CD Deployment:
Repository permissions:
- Contents: Read and write
- Actions: Read and write
- Statuses: Read and write
- Deployments: Read and write
- Metadata: Read-only
Account Permissions (Usually Not Needed):
Most automation only needs repository permissions. Account permissions like user:email or read:user are rarely necessary unless you’re building a GitHub app.
Step 6: Generate and Copy Your Token
- Review your settings one more time
- Click “Generate token” at the bottom of the page
- Important: Copy your token immediately!
- GitHub only shows the token once
- It looks like:
github_pat_11AEUDYQY0xxxxxxxxxxxxxxxx
- Store it securely (see next section)
⚠️ Warning: If you lose this token, you’ll need to generate a new one. GitHub cannot show it again for security reasons.
Step 7: Secure Storage Best Practices
Never commit your token to code repositories! Here are secure storage methods:
Method 1: Environment Variables (Recommended)
Create a .env file in your project root:
# .env
GITHUB_TOKEN=github_pat_11AEUDYQY0xxxxxxxxxxxxxxxx
Add .env to your .gitignore:
# .gitignore
echo ".env" >> .gitignore
Method 2: GitHub Secrets (For CI/CD)
If using GitHub Actions:
- Go to your repository → Settings → Secrets and variables → Actions
- Click “New repository secret”
- Name:
GITHUB_TOKEN - Value: Your PAT
- Click “Add secret”
Method 3: Secret Management Tools
For production environments, use:
- HashiCorp Vault
- AWS Secrets Manager
- Azure Key Vault
- Google Secret Manager
- 1Password Secrets Automation
- Doppler
Step 8: Using Your Token
With Git (HTTPS):
When cloning or pushing to a private repository:
# Clone with token
git clone https://YOUR_TOKEN@github.com/username/repo.git
# Or use in remote URL
git remote set-url origin https://YOUR_TOKEN@github.com/username/repo.git
With cURL (API Access):
# Get user information
curl -H "Authorization: Bearer YOUR_TOKEN" \
-H "Accept: application/vnd.github.v3+json" \
https://api.github.com/user
# List repositories
curl -H "Authorization: Bearer YOUR_TOKEN" \
https://api.github.com/user/repos
With GitHub CLI:
# Authenticate with your token
gh auth login --with-token < YOUR_TOKEN.txt
# Or set as environment variable
export GH_TOKEN=YOUR_TOKEN
With Node.js/JavaScript:
// Using Octokit (GitHub's official SDK)
const { Octokit } = require('@octokit/rest');
const octokit = new Octokit({
auth: process.env.GITHUB_TOKEN
});
// Get repository info
const { data } = await octokit.repos.get({
owner: 'username',
repo: 'repository-name'
});
With Python:
import requests
token = "YOUR_TOKEN"
headers = {
"Authorization": f"Bearer {token}",
"Accept": "application/vnd.github.v3+json"
}
# Get repository
response = requests.get(
"https://api.github.com/repos/username/repo",
headers=headers
)
print(response.json())
Troubleshooting Common Issues
Issue 1: “Bad credentials” Error
Cause: Token is invalid or expired
Solution: Generate a new token, check for typos
Issue 2: “Resource not accessible by personal access token”
Cause: Token lacks required permissions
Solution: Edit token to add necessary permissions, or regenerate with correct scope
Issue 3: “404 Not Found” on Private Repo
Cause: Token doesn’t have access to that repository
Solution: Update token’s repository access settings
Issue 4: Token Works Locally but Not in CI/CD
Cause: Token not properly set in environment
Solution: Verify secret name matches, check for trailing spaces
Issue 5: “Write access to repository not granted”
Cause: Token has read-only permissions
Solution: Update Contents permission to “Read and write”
Security Checklist
✅ Use Fine-Grained Tokens when possible
✅ Set expiration dates — rotate tokens regularly
✅ Grant minimum permissions — principle of least privilege
✅ Store in environment variables — never hardcode
✅ Add .env to .gitignore — prevent accidental commits
✅ Revoke unused tokens — clean up periodically
✅ Monitor token usage — check GitHub security logs
✅ Use repository-specific tokens — limit blast radius
✅ Enable 2FA on your GitHub account — extra layer of security
Managing and Revoking Tokens
View All Tokens:
- Go to Settings → Developer settings → Personal access tokens
- See list of all active tokens with expiration dates
Revoke a Token:
- Find the token in the list
- Click “Delete” or “Revoke”
- Confirm the action
- Immediate effect: Token stops working instantly
Edit a Token (Fine-Grained Only):
- Click on the token name
- Modify permissions or repository access
- Click “Save”
Real-World Example: Complete Setup
Let’s set up a token for a typical development workflow:
Scenario:
You need to automate deployments from Railway to GitHub.
Token Configuration:
Name: Railway Deployment Token
Expiration: 90 days
Repository access: Select repositories → my-app
Permissions:
- Contents: Read and write
- Actions: Read and write
- Deployments: Read and write
Usage:
# In your deployment script
export GITHUB_TOKEN=github_pat_11AEUDYQY0xxxxxxxxxxxxxxxx
git push https://${GITHUB_TOKEN}@github.com/username/my-app.git main
Storage:
# .env file
cat > .env << EOF
GITHUB_TOKEN=github_pat_11AEUDYQY0xxxxxxxxxxxxxxxx
EOF
# .gitignore
echo ".env" >> .gitignore
echo ".github_token" >> .gitignore
Conclusion
GitHub Personal Access Tokens are powerful tools that enable secure automation and API access. By following this guide, you’ve learned to:
- Create both fine-grained and classic tokens
- Configure appropriate permissions for your use case
- Securely store tokens using environment variables
- Use tokens with Git, API calls, and various programming languages
- Troubleshoot common authentication issues
- Follow security best practices
Remember: Security is an ongoing process. Regularly audit your tokens, rotate them before expiration, and always follow the principle of least privilege.
Additional Resources
- GitHub Docs: Managing your personal access tokens
- GitHub REST API Documentation
- GitHub Security Best Practices
Last updated: February 2026