GitHub API Authentication - Introduction

gr2m profile image Gregor Martynus Updated on ・1 min read

This is the first post of a series about different Authentication strategies for GitHub's APIs. The different strategies that I plan to write about are

  1. Personal Access Tokens
  2. GitHub Actions
  3. Username & Password (Basic)
  4. OAuth
  5. Webhooks
  6. GitHub Apps
  7. CLI

Authenticating requests is required for GitHub's GraphQL API and strongly encouraged for GitHub's REST API.

While it is possible to send unauthenticated REST API requests, only 60 requests per hour are permitted. Unauthenticated requests are rate limited based on IP addresses, so if you sent them from virtual servers such as most CI environments they are likely depleted most of the time.


Sending an anonymous request responds with X-RateLimit-* headers stating that less than 60 more requests can be sent until the rate limit is reset. For this example, I'm using curl

curl --head https://api.github.com/repos/octokit/core.js/releases/latest
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 59
X-RateLimit-Reset: 1578690442

Sending the same request with an authorization header shows the increased rate limit

curl --head \
     --header "Authorization: token 70e98949b567d678f62ed81866a1cd54aaeee400" \
X-RateLimit-Limit: 5000
X-RateLimit-Remaining: 4999
X-RateLimit-Reset: 1578690903

The string 70e98949b567d678f62ed81866a1cd54aaeee400 is an example of a personal access token, which I wrote about in the next post of this series.

Posted on by:

gr2m profile

Gregor Martynus


Father of triplets Nico, Ada & Kian. Web developer with 20+ yrs experience. JavaScript Octokit Maintainer for GitHub. He/him


markdown guide

Gregor, thanks for writing this. Maybe you want to update the broken link at the end of the post that points to the next post of this series.


fixed, thank you! I wonder how that broke 🤔