As outlined here, there are a couple of situations where you may want/need to authenticate with GitHub by using an Access Token:-
- If you have Two-Factor Authentication (2FA) enabled.
- You are accessing an organisations protected content using SAML Single-Sign On (SSO).
In your GitHub account, go to Settings / Developer settings / Personal access tokens and select Generate New Token. Make a note of the token somewhere safe since this is the only chance you get to see it.
When you next clone a private repository on the command line Github should challenge you for your credentials. Even though it will prompt you for your Password for 'https://[email protected]': this is actually where you should supply your new access token.
$ git clone https://github.com/username/repo.git
Cloning into 'repo'...
Username for 'https://github.com': your_github_username
Password for 'https://[email protected]': your_access_tokenUsing the token on your Mac the first time should automatically add it to your OSX Key Chain so that you do not need to enter it every time you are interracting with the Github API. If you check your local git configuration you should see that there is a credential.helper key pointing to the OSX Key Chain.
$ git config -l
credential.helper=osxkeychain
[email protected]
user.name=Joe BloggsApril 2021 - notice on possible future updates on token length Authentication token format updates are generally available.
If you need to regenerate the Access Token then log into your Github dashboard and navigate to Settings / Developer settings / Personal access tokens and choose to either Generate new token or replace your existing token, either by choosing Delete and Generate new token, or viewing your current token and choosing Regenerate token.
The general approach described in the Github documentation is to use the following git command to erase your local credentials. Note, it is worth reading the rest of this section before running this.
$ git credential-osxkeychain eraseThe above would appear to be increasingly ineffective and, as many report in the comments below, often just hangs. An alternative approach to delete is to try the following.
$ security delete-internet-password -l github.com
keychain: "/Users/jblogs/Library/Keychains/login.keychain-db"
version: 512
class: "inet"
attributes:
0x00000007 <blob>="github.com"
0x00000008 <blob>=<NULL>
"acct"<blob>="joebloggs"
"atyp"<blob>="dflt"
"cdat"<timedate>=0x32303230303932383233343630395A00 "20200928234609Z\000"
"crtr"<uint32>="aapl"
... (truncated)
password has been deleted.Now, the next time you attempt a clone/pull/push etc on a private repo, the Github API should prompt you for your Password on the command line and entering the new access token should also add it to your local Key Chain which you can check as below.
To check if the token still exists you can try this.
$ security find-internet-password -l github.comWhich should report something like this if it exists.
keychain: "/Users/jbloggs/Library/Keychains/login.keychain-db"
version: 512
class: "inet"
attributes:
0x00000007 <blob>="github.com"
0x00000008 <blob>=<NULL>
"acct"<blob>="joebloggs"
"atyp"<blob>="dflt"
"cdat"<timedate>=0x32303730303933373333343635395A00 "20200938235909Z\000"
...(truncated)Or else if it does not exist then you should see something like this.
security: SecKeychainSearchCopyNext: The specified item could not be found in the keychain.