Skip to content

Instantly share code, notes, and snippets.

@magnetikonline
Last active April 27, 2026 06:05
Show Gist options
  • Select an option

  • Save magnetikonline/073afe7909ffdd6f10ef06a00bc3bc88 to your computer and use it in GitHub Desktop.

Select an option

Save magnetikonline/073afe7909ffdd6f10ef06a00bc3bc88 to your computer and use it in GitHub Desktop.
GitHub token validation regular expressions.

GitHub token validation regular expressions

Regular expressions to check if a given GitHub token could be valid.

Personal access tokens (classic)

Classic personal access tokens are 40 characters in length, with a prefix of ghp_:

^ghp_[a-zA-Z0-9]{36}$

Fine-grained personal access tokens

Fine-grained personal access tokens (currently in beta) are 93 characters in length, with a prefix of github_pat_:

^github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59}$

GitHub Actions

Temporal tokens generated by GitHub Actions are 40 characters in length, with a prefix of ghs_:

^ghs_[a-zA-Z0-9]{36}$

Combined together

^(gh[ps]_[a-zA-Z0-9]{36}|github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59})$

Related

@BrycensRanch

Copy link
Copy Markdown

Thanks, bro! Just used this in my code to validate user input. I linked back to you ofc.

@magnetikonline

Copy link
Copy Markdown
Author

Thanks @BrycensRanch - and appreciate the comment, as I've just noted this is a little out of date with the new "fine grained" personal access token format. Have updated the regular expressions.

@BrycensRanch

BrycensRanch commented Nov 23, 2022

Copy link
Copy Markdown

Thanks! I noticed the regex didn't work so I disabled it. But now I can reenable it. Thanks, bro! I should learn Regex soon so I can give back to the community like you have.

EDIT: It works perfectly, thanks man!

@magnetikonline

Copy link
Copy Markdown
Author

Thanks for reporting back @BrycensRanch - so much better Gists now email me when people comment ๐Ÿ˜„. I used to get lots of good feedback and could never reply and/or review the state of these things.

Thanks for rechecking these as well. ๐Ÿ‘

@BrycensRanch

BrycensRanch commented Nov 23, 2022 via email

Copy link
Copy Markdown

@acevif

acevif commented May 23, 2023

Copy link
Copy Markdown

@magnetikonline Thank you!

I have made a slight improvement to your expression for use on GitHub Actions:

^(gh[pousr]_[A-Za-z0-9_]{36,251}|github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59}|v[0-9]\.[0-9a-f]{40})$

This regular expression works well in my GitHub Actions environment.

Please refer to GitHub's changelog for more information.

@magnetikonline

Copy link
Copy Markdown
Author

Thanks @acevif - added that changelog link. So many token formats ๐Ÿ˜„

@acevif

acevif commented May 25, 2023

Copy link
Copy Markdown

Temporal tokens generated by GitHub Actions now adhere to the following format:

^ghs_[A-Za-z0-9_]{36,251}$

@magnetikonline, would you kindly consider updating this gist? Thank you!

@magnetikonline

Copy link
Copy Markdown
Author

Thanks for calling that out @acevif - have confirmed myself and you're correct. ๐Ÿ‘

@acevif

acevif commented May 25, 2023

Copy link
Copy Markdown

@magnetikonline Thank you very much!

@xmo-odoo

Copy link
Copy Markdown

A few updates since the last one:

  • server-to-server (ghs) tokens are also used by github apps, when requesting / generating Installation Tokens. They are valid for just one hour.
  • github applications can also create user-to-server tokens, with the prefix / identifier ghu, they seem to have a format similar to personal and s2s tokens, these are valid for 8 hours.
  • finally github has refresh tokens in order to renew ghu, they have the prefix ghr and the format is unknown, the payload is 76 characters

@xmo-odoo

xmo-odoo commented Apr 27, 2026

Copy link
Copy Markdown

Also github just announced that server-to-server (ghs) tokens are getting a new format of unspecified length (up to 520 characters): https://github.blog/changelog/2026-04-24-notice-about-upcoming-new-format-for-github-app-installation-tokens/

To help prepare for this change, ensure that:

  • Your apps do not take a dependency on access tokens being a certain length.
  • There are no regexes in your codebase such as ghs_[A-Za-z0-9]{36} that validate a token. These may not match the new tokens.
  • Any database columns for access tokens can fit at least a 520 character string.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment