Fine-grained Personal Access Tokens [GA] #1116
Labels
Enterprise
Product SKU: GitHub Enterprise
ga
Feature phase: Generally available
GHES 3.17
GHES 3.17
shipped
Shipped
Comments
glider-bot
added
Enterprise
|
🚢 This has shipped: https://github.blog/changelog/2025-03-18-fine-grained-pats-are-now-generally-available. Leaving open to track for GHES release! |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Value Prop
After over two years in public beta, we've seen millions of requests a day using Fine-Grained PATs and adoption across the platform - enough to say that it's time to call them GA. While there's more work to be done before we can say they entirely replace PATs (Classic), we know that fine-grained PATs aren't going anywhere and are ready for production use in your company, unlocking= visibility and control over the tokens used to access your organizations, and finer-grained permissions to ensure least privilege access.
This release also brings PAT expiration policies (for fine-grained PATs and PATs (Classic)) to GA as well, allowing you to force the rotation of PATs in your enterprise or organization.
Expected Outcome
In the public preview, fine-grained PATs were an opt-in mechanism for organizations - if a user wanted to create a fine-grained PAT with access to an organization, the organization had to first allow fine-grained PATs to be created at all.
With this change, fine-grained PATs will be enabled by default for all organizations. Organizations and enterprises that explicitly blocked fine-grained PATs during the preview will continue to have them disabled with this GA.
Remaining limitations with GA
This is not the end of the story for fine-grained PATs. Our intent is to continue investing in them to ensure that they can entirely replace the use of PATs (Classic) in your workflows, letting you get the best security possible no matter where you use them. We know there are gaps in the fine-grained PATs implementation that may prevent you from using them everywhere, and we will continue working on fine-grained PATs to unblock your use cases.
Critically, this milestone does not include interactions with the Enterprise object. This means enterprise role management, organization creation, SCIM user management, and enterprise audit logs, among other enterprise APIs, will not be possible with a fine-grained PAT. Supporting enterprise object access with a fine-grained PAT or GitHub App is an ongoing project that will ensure full parity with PATs (Classic) and OAuth apps.
There are also organization- and repository-level gaps that we need to fill, to ensure that every API and every developer workflow is unblocked.
These items include:
internalrepos [GA] #790As we continue to invest in improvements to fine-grained PATs and the modern permissions platform, we hope you'll find more ways to reduce your use of PATs (Classic).
The text was updated successfully, but these errors were encountered: