Try GitHub Copilot CLIAttend GitHub Universe
Back to changelog
Release

April 29, 20251 Minute Read

Credential revocation API to revoke exposed PATs is now generally available

You can now revoke an exposed GitHub personal access token (PAT) you found outside of repositories, even if it’s not yours, to help quickly limit the impact of the exposure and improve the security of the software ecosystem.

If you find classic or fine grained PATs on GitHub or elsewhere, you can submit a bulk revocation request using the new Credential Revocation REST API. If the API receives a valid token, it automatically revokes the token and logs the revocation in the token owner’s audit log. If the exposed token was granted access to a GitHub organization, it will no longer have access to the organization.

A screenshot of the user's audit log event, titled "oauth_access.revoke".

It also notifies the token owner of the revocation through an email sent to the primary email address associated with the owner’s GitHub user account:

A screenshot of an email titled "Action needed: Personal access token was revoked"

This is an unauthenticated API and is available for all users on github.com. To prevent abuse, this API is limited to only 60 unauthenticated requests per hour and a max of 1000 tokens per API request.

Learn more in our documentation on best practices for revoking exposed tokens.

Related Posts

Subscribe to our developer newsletter

Discover tips, technical guides, and best practices in our biweekly newsletter just for devs.

By submitting, I agree to let GitHub and its affiliates use my information for personalized communications, targeted advertising, and campaign effectiveness. See the GitHub Privacy Statement for more details.

Credential revocation API to revoke exposed PATs is now generally available - GitHub Changelog