As outlined here, there are a couple of situations where you may want/need to authenticate with GitHub by using an Access Token:-
- If you have Two-Factor Authentication (2FA) enabled.
- You are accessing an organisations protected content using SAML Single-Sign On (SSO).
In your GitHub account, go to Settings / Developer settings / Personal access tokens
and select Generate New Token
. Make a note of the token somewhere safe since this is the only chance you get to see it.
When you next clone a private repository on the command line Github should challenge you for your credentials. Even though it will prompt you for your Password for 'https://[email protected]': this is actually where you should supply your new access token.
$ git clone https://github.com/username/repo.git
Cloning into 'repo'...
Username for 'https://github.com': your_github_username
Password for 'https://[email protected]': your_access_token
Using the token on your Mac the first time should automatically add it to your OSX Key Chain so that you do not need to enter it every time you are interracting with the Github API. If you check your local git configuration you should see that there is a credential.helper
key pointing to the OSX Key Chain.
$ git config -l
credential.helper=osxkeychain
[email protected]
user.name=Joe Bloggs
April 2021 - notice on possible future updates on token length Authentication token format updates are generally available.
If you need to regenerate the Access Token then log into your Github dashboard and navigate to Settings / Developer settings / Personal access tokens
and choose to either Generate new token
or replace your existing token, either by choosing Delete
and Generate new token
, or viewing your current token and choosing Regenerate token
.
The general approach described in the Github documentation is to use the following git command to erase your local credentials. Note, it is worth reading the rest of this section before running this.
$ git credential-osxkeychain erase
The above would appear to be increasingly ineffective and, as many report in the comments below, often just hangs. An alternative approach to delete is to try the following.
$ security delete-internet-password -l github.com
keychain: "/Users/jblogs/Library/Keychains/login.keychain-db"
version: 512
class: "inet"
attributes:
0x00000007 <blob>="github.com"
0x00000008 <blob>=<NULL>
"acct"<blob>="joebloggs"
"atyp"<blob>="dflt"
"cdat"<timedate>=0x32303230303932383233343630395A00 "20200928234609Z\000"
"crtr"<uint32>="aapl"
... (truncated)
password has been deleted.
Now, the next time you attempt a clone/pull/push
etc on a private repo, the Github API should prompt you for your new token on the command line and entering the new token should also add it to your local Key Chain which you can check as below.
To check if the token still exists you can try this.
$ security find-internet-password -l github.com
Which should report something like this if it exists.
keychain: "/Users/jbloggs/Library/Keychains/login.keychain-db"
version: 512
class: "inet"
attributes:
0x00000007 <blob>="github.com"
0x00000008 <blob>=<NULL>
"acct"<blob>="joebloggs"
"atyp"<blob>="dflt"
"cdat"<timedate>=0x32303730303933373333343635395A00 "20200938235909Z\000"
...(truncated)
Or else if it does not exist then you should see something like this.
security: SecKeychainSearchCopyNext: The specified item could not be found in the keychain.