GitHub Personal Access Token (PAT)
GitHub Personal Access Tokens allow API access for creating repositories, managing issues, and other programmatic operations.
Token Generation
Create Token on GitHub
- Go to GitHub → Settings → Developer settings → Personal access tokens → Tokens (classic)
- Click "Generate new token (classic)"
- Configure token:
- Note: "VPS Server API Token" (or descriptive name)
- Expiration: Choose appropriate duration
- Scopes: Select required permissions
Required Scopes
For repository creation and management:
repo- Full control of private repositoriesrepo:status- Access commit statusrepo_deployment- Access deployment statuspublic_repo- Access public repositoriesrepo:invite- Access repository invitationsworkflow- Update GitHub Action workflows (if needed)write:packages- Upload packages (if needed)delete_repo- Delete repositories (optional, use with caution)
Token Storage
Secure Token Storage
Store the token in a protected file:
# Create config directory
mkdir -p ~/.config/github
# Save token with restricted permissions
echo "ghp_YOUR_TOKEN_HERE" > ~/.config/github/token
chmod 600 ~/.config/github/token
# Verify storage
ls -la ~/.config/github/
Expected Output:
total 12
drwxrwxr-x 2 rezriz rezriz 4096 Feb 5 15:12 .
drwxrwxr-x 8 rezriz rezriz 4096 Feb 5 15:12 ..
-rw------- 1 rezriz rezriz 41 Feb 5 15:12 token
Alternative Storage Locations
# Option 1: In .ssh directory (alongside SSH keys)
echo "ghp_YOUR_TOKEN" > ~/.ssh/github_token
chmod 600 ~/.ssh/github_token
# Option 2: In home directory (hidden file)
echo "ghp_YOUR_TOKEN" > ~/.github_token
chmod 600 ~/.github_token
# Option 3: Environment variable (session only)
export GITHUB_TOKEN="ghp_YOUR_TOKEN"
Using the Token
Create Repository via API
# Read token from file
TOKEN=$(cat ~/.config/github/token)
# Create public repository
curl -X POST -H "Authorization: token $TOKEN" \
-H "Accept: application/vnd.github.v3+json" \
https://api.github.com/user/repos \
-d '{
"name": "my-new-repo",
"description": "Repository created via API",
"private": false,
"auto_init": true
}'
Create Private Repository
TOKEN=$(cat ~/.config/github/token)
curl -X POST -H "Authorization: token $TOKEN" \
-H "Accept: application/vnd.github.v3+json" \
https://api.github.com/user/repos \
-d '{
"name": "my-private-repo",
"description": "Private repository",
"private": true,
"auto_init": true
}'
Verify Token Access
# Test authentication
TOKEN=$(cat ~/.config/github/token)
curl -H "Authorization: token $TOKEN" \
-H "Accept: application/vnd.github.v3+json" \
https://api.github.com/user
Automated Repository Setup Script
Create Setup Script
#!/bin/bash
# File: setup_github_repo.sh
REPO_NAME="$1"
DESCRIPTION="${2:-Repository created via script}"
PRIVATE="${3:-false}"
# Read token
TOKEN=$(cat ~/.config/github/token 2>/dev/null)
if [ -z "$TOKEN" ]; then
echo "Error: GitHub token not found in ~/.config/github/token"
exit 1
fi
if [ -z "$REPO_NAME" ]; then
echo "Usage: $0 <repo-name> [description] [private]"
exit 1
fi
# Create repository
curl -X POST -H "Authorization: token $TOKEN" \
-H "Accept: application/vnd.github.v3+json" \
https://api.github.com/user/repos \
-d "{
\"name\": \"$REPO_NAME\",
\"description\": \"$DESCRIPTION\",
\"private\": $PRIVATE,
\"auto_init\": false
}"
echo -e "\n Repository created: https://github.com/donnyaw/$REPO_NAME"
Make Script Executable
chmod +x setup_github_repo.sh
Usage Examples
# Create public repository
./setup_github_repo.sh my-project "My awesome project"
# Create private repository
./setup_github_repo.sh secret-project "Private repo" true
Token Management
List Active Tokens
- Go to GitHub → Settings → Developer settings → Personal access tokens
- Review all active tokens
- Check last used date
Revoke Token
If token is compromised:
- Go to GitHub → Settings → Developer settings → Personal access tokens
- Find the token
- Click "Delete" or "Revoke"
- Generate new token
- Update stored token file
Rotate Token
# Remove old token
rm ~/.config/github/token
# Save new token
echo "ghp_NEW_TOKEN_HERE" > ~/.config/github/token
chmod 600 ~/.config/github/token
Security Best Practices
Critical Security Rules
-
Never commit tokens to repositories
# Add to .gitignore
echo ".github_token" >> ~/.gitignore
echo "github_token" >> ~/.gitignore -
Use environment-specific tokens
- Production server: One token
- Development server: Different token
- Local machine: Another token
-
Minimal permissions
- Only grant scopes you actually need
- Avoid
admin:*scopes unless required
-
Regular rotation
- Rotate tokens every 90 days
- Update expiration dates
-
Monitor usage
- Check "Last used" on GitHub
- Revoke unused tokens
Find Exposed Tokens
# Search for potential token files
find ~/.config ~/.ssh ~ -maxdepth 2 -type f -name "*github*" -o -name "*token*" 2>/dev/null | grep -v ".git"
# Search for accidentally committed tokens
grep -r "ghp_" ~/github/ 2>/dev/null | grep -v ".git"
Common Use Cases
1. Automated Repository Creation
TOKEN=$(cat ~/.config/github/token)
# Create multiple repositories
for repo in "project-1" "project-2" "project-3"; do
curl -X POST -H "Authorization: token $TOKEN" \
-H "Accept: application/vnd.github.v3+json" \
https://api.github.com/user/repos \
-d "{\"name\": \"$repo\", \"private\": false}"
sleep 2
done
2. Clone Private Repositories
git clone https://$(cat ~/.config/github/token)@github.com/donnyaw/private-repo.git
3. CI/CD Integration
# In GitHub Actions workflow
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Troubleshooting
Token Not Working
# Verify token exists
cat ~/.config/github/token
# Test token validity
TOKEN=$(cat ~/.config/github/token)
curl -H "Authorization: token $TOKEN" https://api.github.com/user
Permission Denied
- Check token scopes on GitHub
- Ensure required permissions are granted
- Regenerate token if needed
Rate Limiting
GitHub API has rate limits:
- Authenticated: 5,000 requests/hour
- Unauthenticated: 60 requests/hour
Check limit status:
TOKEN=$(cat ~/.config/github/token)
curl -H "Authorization: token $TOKEN" https://api.github.com/rate_limit