You've used GitHub to fork a new repository. You've used Git to clone it to your computer, you've made your edits, and you're finally to the point where you are ready to push your changes back to GitHub. Remember, you needed to login to GitHub to access your account. The same goes for Git; it can't simply make changes to a repo on your GitHub account without first authenticating. That would be seriously insecure! This page explains how to use a personal access token to authenticate Git to interact with GitHub from your command line.
A personal access token (PAT) is an alternative to using a password for authentication. You should treat your PAT exactly as you would a password! They provide the same access in a more limited scope. GitHub opted to move to using PATs for authentication via command line, instead of allowing the continued use of password authentication. That means to be able to push your changes to your newly forked repository, you'll need to generate your own PAT.
Remember, you're here because your push
failed to authenticate.
When you're done with the steps on this page, you'll run the same command again, with different results.
Let's get started!
A Note about GitHub Personal Access Token Types
There are currently two types of personal access tokens available within GitHub: fine-grained and classic. GitHub suggests using fine-grained whenever possible. As you'll see, this page explains classic token generation. Here's why.
There are a few differences between fine-grained and classic tokens that make fine-grained tokens more secure. One of those differences is that fine-grained token access is limited to specific repositories. This guide is intended to provide you with a work-flow that will apply to any public repository that you decide to contribute to. Using a fine-grained token would mean updating the token every time you decide to contribute to a new repository. Using a classic token means it will apply across the board to any repository you choose to fork.
Further, and most relevant to this guide, GitHub has made it abundantly clear that fine-grained PATs are currently in beta, and therefore subject to change. Covering fine-grained token creation here could result in incorrect info at any time as GitHub continues to improve this feature.
Therefore, the choice was made to demonstrate creating a classic personal access token. It seems likely that fine-grained PATs will eventually replace classic, and at that time, this page will be updated, and this section removed.
The Personal Access Tokens Menu
The first step is to navigate to the menu where you can begin generating your new token.
Click on your profile image in the upper right corner of any page on GitHub.
In the profile image menu, scroll to the bottom and click Settings.
Settings has a lot of options! It's every setting, configuration, setup, etc for your entire account. Everything is listed down the left side. The option you're looking for is at the bottom. Scroll down to to the end of the list.
Click the Developer Settings option at the end of the list.
Developer Settings is a much shorter menu. Click the arrow next to Personal access tokens to expand the menu.
Choose Tokens (classic).
This opens the classic PAT list. If you have not yet created a classic PAT, you'll see the following. Click Generate new token.
From the Generate new token menu, choose Generate new token (classic).
Now it's time to create your new token!
Generating a New GitHub Token (classic)
After clicking Generate new token (classic), you're taken to the New personal access token (classic) page. There are three sections you'll want to update: Note, Expiration, Select scopes.
While the only required section is Expiration (denoted by the red asterisk), for this purpose you will absolutely need to update Select scopes as well. Adding a note is strictly for you, and has no functional affect on the token, but your future-self will thank your current-self when you go back to view your token list, and it's clear which tokens are for what purpose.
For the Note, you'll want to add a phrase that makes it clear to you that you'll be using this token for authenticating Git with GitHub interactions. The following is a suggestion, but you can enter whatever works for you.
Choose an Expiration. This is the date upon which this token will expire, and if set, will require you to generate a new token at that point, and use it for its duration.
You can choose "No expiration", but you will receive a warning from GitHub informing you that it is less secure (spoiler: it is). No expiration means the token will continue to work until you manually revoke it. If it is ever compromised and you are unaware, this means that it will be exploitable until you decide arbitrarily to revoke it. Setting an expiration means that it will stop working every N-days, limiting its exploitability.
A good compromise is to choose 90 days. You will only have to regenerate a token four times per year, and you'll still be more secure.
The final section is Select scopes. Scopes are designed to enable you to allow the token access to only the features you plan to use it for. This is also for security reasons; if you gave every token full access, and it ends up compromised, the potential damage is much higher than if the scope is limited.
To be able to successfully interact with GitHub using Git via command line, you need only three options from the entire list. Check the following boxes nested under repos:
- repo:status
- repo_deployment
- public_repo
Now, verify that all of the information you provided is correct. Your New personal access token (classic) page should now resemble the following.
When you're happy with it, scroll down to the bottom of the page, and click Generate token.
Your New Token
You'll be returned to the Personal access tokens (classic) page. This time, however, you'll see your new token.
You must immediately copy your new token. This is the only time the time the token itself will be displayed. Copy it by clicking on the copy button (the two-box icon to the right of the token). Store it someplace secure to which you have access, such as a password manager. You will need to use it later to authenticate Git.
Once you navigate away from that page, or refresh it, you will no longer have access to the token.
When you return to this page, you will see only the information about your token. On the left side, you'll find the Note text as a link, followed by the scopes you selected. Below the Note text is the date that the token will expire. On the right side you'll see when you last used the token, and a Delete button.
There is no way to view the token again. You may delete it if you no longer need it.
Authenticating via Command Line
It's time to go back to your terminal program. Run the exact same push
command you ran earlier. When asked for your username, enter it as before. This time, however, when asked for your password, enter your new personal access token.
Success! Now you can continue to the next step, creating your pull request!
Further Information
GitHub has excellent documentation on Managing your personal access tokens. It includes the process to store your PAT locally so you don't have to reenter it when you're working with Git. If you're interested in more information about how to maintain and manage your new PAT, the GitHub docs have you covered!
Text editor powered by tinymce.