Are you still relying on long-lived GitHub tokens—like Personal Access Tokens (PATs) or OAuth tokens used with the GitHub CLI—stored on your local machine?
If so, you might be exposing yourself to unnecessary risks.
Enter ghtkn: a tool built to dramatically reduce those risks by using short-lived, secure tokens via GitHub Apps.
The Problem with Traditional Tokens
Many developers use PATs or GitHub CLI tokens that:
- Remain dangerous if leaked
- Live indefinitely or for many months
- Have overly broad permissions
- Are hard to rotate regularly
Any leak or compromise can lead to serious, lasting damage.
How ghtkn Solves This
ghtkn is designed to tackle these issues by introducing a more secure, manageable workflow:
- Short-lived tokens — tokens expire after 8 hours, so leaks are less damaging.
- No secrets required — you only need the GitHub App Client ID, which is not sensitive. No Private Key / Client Secret to guard.
- User-attributed actions — actions are done as you, not under a generic app identity.
- Automatic management — tokens are stored and reused securely via OS secret managers (Windows Credential Manager, macOS Keychain, GNOME Keyring). You don’t have to juggle them manually.
Getting Started
Here’s how you set up ghtkn:
- Install ghtkn
- Create a GitHub App with Device Flow enabled. Don’t bother with private keys or secrets. You only need a Client ID.
-
Initialize configuration via
ghtkn init, to create aghtkn.yaml, where you define what GitHub Apps you’ll use. - Use
ghtkn getto generate your 8-hour user access token (via Device Flow). Approve via browser, use the code shown in terminal.
Extras & Advanced Use
- Wrapping command: You can wrap commands like
gh(GitHub CLI) so that an access token is automatically passed viaghtkn, making the process seamless. - Git Credential Helper: ghtkn can act as a credential helper for Git, so commands like
git pushorgit clonecan use it automatically. - Multiple GitHub Apps: You can configure more than one App in your config, selecting which to use. Helpful for distinguishing permissions per repository.
- Minimum expiration threshold: You can tell
ghtkn getto regenerate tokens if the remaining time is less than a threshold you specify. Avoids using almost-expired tokens in long-running operations.
Who Should Use ghtkn
ghtkn is especially compelling for:
- Developers who want to minimize their risk exposure from token leaks.
- Anyone who uses GitHub CLI or other tools locally and needs safe, manageable authentication.
- Teams where multiple people or organizations share repos but want fine control over permissions.
- Organizations wanting to standardize token policies internally.
Why ghtkn Might Be a Game Changer
By shifting away from long-lived, broad-scope tokens to short-lived, narrowly scoped user-attributed tokens, ghtkn helps you follow security best practices effortlessly.
It sidesteps many of the most common security pitfalls—like stale credentials or broad permissions—while integrating nicely into existing workflows.
If you care at all about securing your GitHub workflows—and especially if you work in teams or public projects—ghtkn is worth a look.
Give it a try, and make your access tokens safer by default.
Top comments (0)