This is the first post of a series about different Authentication strategies for GitHub's APIs. The different strategies that I plan to write about are
- Personal Access Tokens
- GitHub Actions
- Username & Password (Basic)
- GitHub Apps
While it is possible to send unauthenticated REST API requests, only 60 requests per hour are permitted. Unauthenticated requests are rate limited based on IP addresses, so if you sent them from virtual servers such as most CI environments they are likely depleted most of the time.
Sending an anonymous request responds with
X-RateLimit-* headers stating that less than 60 more requests can be sent until the rate limit is reset. For this example, I'm using curl
curl --head https://api.github.com/repos/octokit/core.js/releases/latest X-RateLimit-Limit: 60 X-RateLimit-Remaining: 59 X-RateLimit-Reset: 1578690442
Sending the same request with an authorization header shows the increased rate limit
curl --head \ --header "Authorization: token 70e98949b567d678f62ed81866a1cd54aaeee400" \ https://api.github.com/repos/octokit/core.js/releases/latest X-RateLimit-Limit: 5000 X-RateLimit-Remaining: 4999 X-RateLimit-Reset: 1578690903
70e98949b567d678f62ed81866a1cd54aaeee400 is an example of a personal access token, which I wrote about in the next post of this series.