Gathering detailed insights and metrics for @octokit-next/auth-token
Gathering detailed insights and metrics for @octokit-next/auth-token
Installations
npm install @octokit-next/auth-tokenDeveloper Guide
BETA
Typescript
Yes
Module System
ESM
Node Version
22.15.0
NPM Version
10.9.2
Releases
51
Languages
2
JavaScript
TypeScript
JavaScript (79.48%)
TypeScript (20.52%)
Developer
octokit
Download Statistics
Total Downloads
0
Last Day
0
Last Week
0
Last Month
0
Last Year
0
GitHub Statistics
MIT License
24 Stars
310 Commits
4 Forks
8 Watchers
5 Branches
17 Contributors
Updated on Jul 15, 2025
Maintainers
2
Package Meta Information
Latest Version
3.0.0
Package Id
@octokit-next/auth-token@3.0.0
Unpacked Size
19.99 kB
Size
4.99 kB
File Count
9
NPM Version
10.9.2
Node Version
22.15.0
Published on
May 20, 2025
Total Downloads
Cumulative downloads
Total Downloads
NaN
Last Day
0%
NaN
Compared to previous day
Last Week
0%
NaN
Compared to previous week
Last Month
0%
NaN
Compared to previous month
Last Year
0%
NaN
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dependencies
2
auth-token.js
GitHub API token authentication for browsers and Node.js
@octokit-next/auth-token is the simplest of GitHub’s authentication strategies.
It is useful if you want to support multiple authentication strategies, as it’s API is compatible with its sibling packages for basic, GitHub App and OAuth app authentication.
Usage
| Browsers |
Load @octokit-next/auth-token directly from cdn.skypack.dev
|
|---|---|
| Node |
Install with
|
| Deno |
Load
|
1const auth = createTokenAuth("ghp_PersonalAccessToken01245678900000000"); 2const authentication = await auth(); 3// { 4// type: 'token', 5// token: 'ghp_PersonalAccessToken01245678900000000', 6// tokenType: 'oauth' 7// }
createTokenAuth(token)
The createTokenAuth method accepts a single argument of type string, which is the token. The passed token can be one of the following:
- Personal access token
- OAuth access token
- GITHUB_TOKEN provided to GitHub Actions
- Installation access token (server-to-server)
- User authentication for installation (user-to-server)
Examples
1// Personal access token or OAuth access token 2createTokenAuth("ghp_PersonalAccessToken01245678900000000"); 3// { 4// type: 'token', 5// token: 'ghp_PersonalAccessToken01245678900000000', 6// tokenType: 'oauth' 7// } 8 9// Installation access token or GitHub Action token 10createTokenAuth("ghs_InstallallationOrActionToken00000000"); 11// { 12// type: 'token', 13// token: 'ghs_InstallallationOrActionToken00000000', 14// tokenType: 'installation' 15// } 16 17// Installation access token or GitHub Action token 18createTokenAuth("ghu_InstallationUserToServer000000000000"); 19// { 20// type: 'token', 21// token: 'ghu_InstallationUserToServer000000000000', 22// tokenType: 'user-to-server' 23// }
auth()
The auth() method has no options. It returns a promise which resolves with the the authentication object.
Authentication object
| name | type | description |
|---|---|---|
type
|
string
|
"token"
|
token
|
string
| The provided token. |
tokenType
|
string
|
Can be either "oauth" for personal access tokens and OAuth tokens, "installation" for installation access tokens (includes GITHUB_TOKEN provided to GitHub Actions), "app" for a GitHub App JSON Web Token, or "user-to-server" for a user authentication token through an app installation.
|
auth.hook(request, route, options) or auth.hook(request, options)
auth.hook() hooks directly into the request life cycle. It authenticates the request using the provided token.
The request option is an instance of @octokit/request. The route/options parameters are the same as for the request() method.
auth.hook() can be called directly to send an authenticated request
1const { data: authorizations } = await auth.hook( 2 request, 3 "GET /authorizations" 4);
Or it can be passed as option to request().
1const requestWithAuth = request.defaults({ 2 request: { 3 hook: auth.hook, 4 }, 5}); 6 7const { data: authorizations } = await requestWithAuth("GET /authorizations");
Find more information
auth() does not send any requests, it only transforms the provided token string into an authentication object.
Here is a list of things you can do to retrieve further information
Find out what scopes are enabled for oauth tokens
Note that this does not work for installations. There is no way to retrieve permissions based on an installation access tokens.
1const TOKEN = "ghp_PersonalAccessToken01245678900000000"; 2 3const auth = createTokenAuth(TOKEN); 4const authentication = await auth(); 5 6const response = await request("HEAD /", { 7 headers: authentication.headers, 8}); 9const scopes = response.headers["x-oauth-scopes"].split(/,\s+/); 10 11if (scopes.length) { 12 console.log( 13 `"${TOKEN}" has ${scopes.length} scopes enabled: ${scopes.join(", ")}` 14 ); 15} else { 16 console.log(`"${TOKEN}" has no scopes enabled`); 17}
Find out if token is a personal access token or if it belongs to an OAuth app
1const TOKEN = "ghp_PersonalAccessToken01245678900000000"; 2 3const auth = createTokenAuth(TOKEN); 4const authentication = await auth(); 5 6const response = await request("HEAD /", { 7 headers: authentication.headers, 8}); 9const clientId = response.headers["x-oauth-client-id"]; 10 11if (clientId) { 12 console.log( 13 `"${token}" is an OAuth token, its app’s client_id is ${clientId}.` 14 ); 15} else { 16 console.log(`"${token}" is a personal access token`); 17}
Find out what permissions are enabled for a repository
Note that the permissions key is not set when authenticated using an installation access token.
1const TOKEN = "ghp_PersonalAccessToken01245678900000000"; 2 3const auth = createTokenAuth(TOKEN); 4const authentication = await auth(); 5 6const response = await request("GET /repos/{owner}/{repo}", { 7 owner: 'octocat', 8 repo: 'hello-world' 9 headers: authentication.headers 10}); 11 12console.log(response.data.permissions) 13// { 14// admin: true, 15// push: true, 16// pull: true 17// }
Use token for git operations
Both OAuth and installation access tokens can be used for git operations. However, when using with an installation, the token must be prefixed with x-access-token.
This example is using the execa package to run a git push command.
1const TOKEN = "ghp_PersonalAccessToken01245678900000000"; 2 3const auth = createTokenAuth(TOKEN); 4const { token, tokenType } = await auth(); 5const tokenWithPrefix = 6 tokenType === "installation" ? `x-access-token:${token}` : token; 7 8const repositoryUrl = `https://${tokenWithPrefix}@github.com/octocat/hello-world.git`; 9 10const { stdout } = await execa("git", ["push", repositoryUrl]); 11console.log(stdout);
License
No vulnerabilities found.
Reason
no dangerous workflow patterns detected
Reason
16 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Reason
no binaries found in the repo
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: MIT License: LICENSE:0
Reason
packaging workflow detected
Details
- Info: Project packages its releases by way of GitHub Actions.: .github/workflows/release.yml:14
Reason
SAST tool is run on all commits
Details
- Info: SAST configuration detected: CodeQL
- Info: all commits (30) are checked with a SAST tool
Reason
0 existing vulnerabilities detected
Reason
security policy file detected
Details
- Info: security policy file detected: SECURITY.md:1
- Info: Found linked content: SECURITY.md:1
- Warn: One or no descriptive hints of disclosure, vulnerability, and/or timelines in security policy
- Info: Found text in security policy: SECURITY.md:1
Reason
dependency not pinned by hash detected -- score normalized to 2
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/add_to_octokit_project.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/octokit/octokit-next.js/add_to_octokit_project.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/octokit/octokit-next.js/codeql-analysis.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:45: update your workflow using https://app.stepsecurity.io/secureworkflow/octokit/octokit-next.js/codeql-analysis.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:59: update your workflow using https://app.stepsecurity.io/secureworkflow/octokit/octokit-next.js/codeql-analysis.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:72: update your workflow using https://app.stepsecurity.io/secureworkflow/octokit/octokit-next.js/codeql-analysis.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/immediate-response.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/octokit/octokit-next.js/immediate-response.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/openapi-update.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/octokit/octokit-next.js/openapi-update.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/openapi-update.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/octokit/octokit-next.js/openapi-update.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/openapi-update.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/octokit/octokit-next.js/openapi-update.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/openapi-update.yml:66: update your workflow using https://app.stepsecurity.io/secureworkflow/octokit/octokit-next.js/openapi-update.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/openapi-update.yml:89: update your workflow using https://app.stepsecurity.io/secureworkflow/octokit/octokit-next.js/openapi-update.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/octokit/octokit-next.js/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/octokit/octokit-next.js/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/octokit/octokit-next.js/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/octokit/octokit-next.js/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/octokit/octokit-next.js/test.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/test.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/octokit/octokit-next.js/test.yml/main?enable=pin
- Warn: npmCommand not pinned by hash: .github/workflows/release.yml:24
- Info: 0 out of 12 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 5 third-party GitHubAction dependencies pinned
- Info: 2 out of 3 npmCommand dependencies pinned
Reason
Found 1/28 approved changesets -- score normalized to 0
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql-analysis.yml:28
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql-analysis.yml:29
- Warn: no topLevel permission defined: .github/workflows/add_to_octokit_project.yml:1
- Warn: no topLevel permission defined: .github/workflows/codeql-analysis.yml:1
- Warn: no topLevel permission defined: .github/workflows/openapi-update.yml:1
- Warn: topLevel 'contents' permission set to 'write': .github/workflows/release.yml:8
- Warn: no topLevel permission defined: .github/workflows/test.yml:1
- Info: no jobLevel write permissions found
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Score
6.5
/10
Last Scanned on 2025-07-07
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More