GitHub Changes Token Format to Improve Identifiability, Secret Scanning, and Entropy

GitHub Changes Token Format to Improve Identifiability, Secret Scanning, and Entropy

GitHub Changes Token Format to Improve Identifiability, Secret Scanning, and Entropy. GitHub has recently moved to a new format for all of its tokens, including personal access, OAuth access, user-to-server and server-to-server, and refresh tokens. As GitHub engineer Heather Harvey explains, the new format aims to make tokens more easily identifiable.

GitHub has recently moved to a new format for all of its tokens , including personal access, OAuth access, user-to-server and server-to-server, and refresh tokens. As GitHub engineer Heather Harvey explains,  the new format aims to make tokens more easily identifiable, including when scanning repos for secrets, and to increase their entropy .

GitHub uses a number of different tokens to control access to its APIs: the  personal access token, used for authentication instead of using username and password; the  OAuth Access Token, that implements the OAuth 2.0 protocol for apps that do not have access to a Web browser; the  GitHub App User-to-Server Token and the  GitHub App Server-to-Server Token, used to grant access to a repo for a GitHub app on behalf of a user; and the  Refresh Token, used to refresh a user-to-server token.

From the outside, the changes to the token format appear to be pretty minor, with only a new three-character prefix and extending the allowed character set. Those changes, though, says Harvey, lead to a couple of desirable properties.

api oauth cloud security github news

What is Geek Coin

What is GeekCash, Geek Token

Best Visual Studio Code Themes of 2021

Bootstrap 5 Tutorial - Bootstrap 5 Crash Course for Beginners

Nest.JS Tutorial for Beginners

Hello Vue 3: A First Look at Vue 3 and the Composition API

Top 10 API Security Threats Every API Team Should Know

Learn what are the most important API security threats engineering leaders should be aware of and steps you can take to prevent them

Multi-cloud Spending: 8 Tips To Lower Cost

Mismanagement of multi-cloud expense costs an arm and leg to business and its management has become a major pain point. Here we break down some crucial tips to take some of the management challenges off your plate and help you optimize your cloud spend.

API Security Weekly: Issue #95

This week, look at recent vulnerabilities in Zoom and OkCupid, progress on the draft for OAuth 2.1, and a video tutorial on discovering leaky APIs.

API Security Weekly: Issue #101

After the special 100th edition last week, which was all about API security advice from the industry’s thought leaders, this week we are back to our regular API security news, and we have twice the number of them, from the past two weeks.

API Security Weekly: Issue #91

This week, we check out the recent OAuth bypass at SEMrush, common JWT implementation mistakes and the Semgrep tool, and more!