GitHub CLI Authentication With Access Token

The guide shows how to authenticate against GitHub's git repository with access token in automation friendly way

Tuesday, December 3, 2019

Generate The Access Token

To generate your GitHub account access token, navigate to the GitHub website -> click on Settings under your account menu -> Developer settings -> Personal access tokens. Click on Generate new token button where you can set the token scopes, such as access to the repository, packages, etc.

Setup Authentication Header

Authentication with your personal access token (PAT) is made by specifying http.extraheader value. The value follows the formula "AUTHORIZATION: basic <base64>" where <base64> is base64(x-access-token:<accessToken>) where <accessToken> is your personal access token.

Example: Access token is abcd123456789efgh

x-access-token:<accessToken> is x-access-token:abcd123456789efgh
base64(x-access-token:abcd123456789efgh) is eC1hY2Nlc3MtdG9rZW46YWJjZDEyMzQ1Njc4OWVmZ2g=
The header then has form of http.extraheader="AUTHORIZATION: basic eC1hY2Nlc3MtdG9rZW46YWJjZDEyMzQ1Njc4OWVmZ2g="

Authenticate With The Header

Authentication is made simply by specifying the http.extraheader along your git commands, such as

git -c http.extraheader="AUTHORIZATION: basic eC1hY2Nlc3MtdG9rZW46YWJjZDEyMzQ1Njc4OWVmZ2g=" fetch origin

Closing Notes

There is no prompt to provide git credentials when providing http.extraheader along with git commands to the remote repository. Thus this method is very useful e.g. in automated CI/CD processes where you are not able to insert your git credentials during automated processes.

Notice however that your personal access token is obtainable from the header itself (base64 decode will uncover your PAT). Thus it is necessary to mask the value of the header when e.g. logging the command in the console.