Can I check the permissions of a token

[tombrus]

Is it possible to get a list of the permissions of a given token?
Or check if a token has a certain set of permissions?

In one of my actions I would like to warn that the provided token is lacking a specific permission. The errors currently issued by just trying to do something and failing are not always easy to understand. If I could check the permission before failing I could issue a helpful warning like the provided token is missing the xxx permission.

[BrightRan]

@tombrus,

We seem have no available methods to list all the access scopes of a token.
I tried using the OAuth Authorizations API, but did not work.

If you are the authenticated user of the token, you can try to navigate to Personal settings > Developer settings > Personal access tokens to view the access scopes of the tokens you have created.

[tombrus]

Hi @brightran!

interactively going to the token def will work, but it does not help in a script (unless you do some serious curl hacking I guess ;-)).

So this seems like a request for a valuable extension to the API, right?
Can I file it somewhere?

[BrightRan]

@tombrus,

You can share a feature request in the Feedback form for GitHub.
That will allow you to directly interact with the appropriate engineering team, and make it more convenient for the engineering team to collect and categorize your suggestions.

[tombrus]

Thanks @brightran, I entered a feature request.

[henrik242]

It’s fairly easy to check the permissions of a token using the github API:

$ curl -sS -f -I -H "Authorization: token ghp_yourOwnToken" https://api.github.com | grep -i x-oauth-scopes
x-oauth-scopes: public_repo, repo:status, repo_deployment

[ben-elttam]

Works for classic PATs but not for fine-grained (beta) PATs.

[tombrus]

Great henrik242! Thanks.

[flxw]

Hi @tombrus and everybody else - it's been quite some time since this was raised.
What's the best way to do this in 2023?
I am trying to accomplish this for the new fine-grained PATs that are provided via the ${github.token} context in actions.

Is the feature request still open and can I support it somewhere?

[gautamkrishnar]

This is true, i had created a new bug https://github.com/orgs/community/discussions/73397

[FollowTheProcess]

FYI if you have the GitHub CLI installed, this is also possible with the gh auth status command, which you should be able to force to use a particular token via the $GITHUB_TOKEN env var, so something like:

GITHUB_TOKEN=<your_token> gh auth status

Seems like it would work to me

[vit-zikmund]

Today, this doesn't work as desired with the fine-grained tokens:

$ GITHUB_TOKEN=$GH__FINE_READ gh auth status
github.com
  ✓ Logged in to github.com as vit-zikmund (GITHUB_TOKEN)
  ✓ Git operations for github.com configured to use https protocol.
  ✓ Token: github_pat_***********************************************************

This is the output with the classic one:

GITHUB_TOKEN=$GH_CLASSIC_REPO gh auth status
github.com
  ✓ Logged in to github.com as vit-zikmund (GITHUB_TOKEN)
  ✓ Git operations for github.com configured to use https protocol.
  ✓ Token: ghp_************************************
  ✓ Token scopes: read:org, repo