Follow these best practices to keep your API credentials and tokens secure.
Choose an appropriate authentication methodYou should choose an authentication method that is appropriate for the task you want to accomplish.
GITHUB_TOKEN.For more information, see About authentication to GitHub.
Limit the permissions of your credentialsWhen creating a personal access token, only select the minimum permissions or scopes needed, and set an expiration date for the minimum amount of time you'll need to use the token. GitHub recommends that you use fine-grained personal access tokens instead of personal access tokens (classic). For more information, see Managing your personal access tokens.
A token has the same capabilities to access resources and perform actions on those resources that the owner of the token has, and is further limited by any scopes or permissions granted to the token. A token cannot grant additional access capabilities to a user.
When creating a GitHub App, select the minimum permissions that your GitHub App will need. For more information, see Best practices for creating a GitHub App.
When authenticating with GITHUB_TOKEN in a GitHub Actions workflow, only give the minimum amount of permissions needed. For more information, see Use GITHUB_TOKEN for authentication in workflows.
Treat authentication credentials the same way you would treat your passwords or other sensitive credentials.
Don't share your personal access token with others. Instead of sharing a personal access token, consider creating a GitHub App. For more information, see About creating GitHub Apps.
If you need to share credentials with a team, store the credentials in a secure shared system. For example, you could store and share passwords securely using 1Password, or you could store keys in Azure KeyVault and manage access with your IAM (Identity and access management).
If you're creating a GitHub Actions workflow that needs to access the API, you can store your credentials in an encrypted secret, and access the encrypted secret from the workflow. For more information, see Using secrets in GitHub Actions and Making authenticated API requests with a GitHub App in a GitHub Actions workflow.
Use authentication credentials securely in your codeNever hardcode authentication credentials like tokens, keys, or app-related secrets into your code. Instead, consider using a secret manager such as Azure Key Vault or HashiCorp Vault. For more information about securing GitHub App credentials, see Best practices for creating a GitHub App.
If you find another user's personal access token exposed on GitHub or elsewhere, you can submit a revocation request through the REST API. See Revocation.
When using a personal access token in a script, consider storing your token as a GitHub Actions secret and running your script through GitHub Actions. You can also store your token as a Codespaces secret and run your script in Codespaces. For more information, see Using secrets in GitHub Actions and Managing your account-specific secrets for GitHub Codespaces.
If none of these options are possible, you can store authentication credentials in a .env file. Make sure to encrypt your .env file, and never push it to any repository.
You should create a plan to handle any security breaches in a timely manner. In the event that your token or other authentication credential is leaked, you will need to:
For information about rotating compromised credentials for a GitHub App, see Best practices for creating a GitHub App.
For information about creating and deleting personal access tokens, see Managing your personal access tokens.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4