gh-auth
Authenticate with GitHub
TLDR
Log in with interactive prompt
Log in with a token from stdin (created in
Check if you are logged in
Log out
Log in with a specific GitHub Enterprise Server
Refresh the session to ensure authentication credentials have the correct minimum scopes (removes additional scopes requested previously)
Expand the permission scopes
SYNOPSIS
gh auth <subcommand> [flags]
The primary subcommands are:
login: Log in to GitHub.
logout: Log out of GitHub.
refresh: Refresh authentication scopes.
status: View authentication status.
token: Print the authentication token.
For example, to log in with a web browser:
gh auth login --web
To log in using a Personal Access Token:
gh auth login --pat
PARAMETERS
--hostname <string>
Specifies the GitHub host to authenticate against. Defaults to github.com
. Useful for GitHub Enterprise instances.
--scopes <strings>
Requests additional authentication scopes beyond the default set. Scopes define the permissions granted to the GitHub CLI token (e.g., repo
, admin:org
, gist
).
--web
Authenticates through a web browser. This is the default and recommended method for gh auth login
, opening a browser for interactive authentication.
--pat
Reads a Personal Access Token (PAT) from standard input for authentication. This method is useful for automated scripts or when a browser is unavailable.
--token <string>
Directly uses the provided string as an authentication token. Less secure for interactive use compared to --pat
from stdin or --web
.
--git-protocol <string>
Sets the protocol to use for Git operations cloned by gh
(e.g., gh repo clone
). Options are https
or ssh
. Defaults to https
.
--no-browser
Prevents gh auth login
from automatically opening a web browser. Useful when using a text-based terminal or for specific authentication flows.
DESCRIPTION
The gh-auth functionality, primarily accessed via the gh auth
command and its subcommands, provides a comprehensive interface for authenticating the GitHub CLI (gh
) with your GitHub account. It manages the tokens required for the CLI to interact with GitHub APIs, enabling actions like creating pull requests, managing issues, and cloning repositories securely. Users can log in using a web browser flow (the recommended default for ease and security) or by providing a Personal Access Token (PAT). It also allows users to log out, refresh authentication scopes, check their current authentication status, and retrieve their active authentication token. This setup ensures seamless integration of the command-line experience with GitHub.
CAVEATS
The gh-auth commands require the GitHub CLI (gh
) to be installed and available in your system's PATH. Authentication tokens are securely stored by gh
, typically in your system's credential manager. Be mindful of the scopes requested, as they determine the permissions of your CLI token. Using Personal Access Tokens directly should be done with caution, especially in shared environments, due to security implications.
AUTHENTICATION METHODS
The primary way to authenticate using gh auth login
is via a web browser (the default --web
flag). This method guides you through the GitHub OAuth flow. Alternatively, you can use a Personal Access Token (PAT) via the --pat
flag, where the token is read from standard input, or directly provide it using --token
(less recommended for security). The CLI securely stores the obtained token for subsequent commands.
TOKEN MANAGEMENT
Beyond logging in, gh auth
provides commands for managing your session. gh auth status
shows your current authenticated user and host, along with granted scopes. gh auth refresh
allows you to update your token's scopes without a full re-login. gh auth logout
removes your authentication credentials for a given host. gh auth token
prints the active authentication token, which can be useful for debugging or integration with other tools.
HISTORY
The authentication capabilities have been an integral part of the GitHub CLI (gh
) since its initial public releases. As the CLI matured, the gh auth
command group evolved to provide more robust and user-friendly authentication methods, such as the streamlined web browser flow and enhanced token management, adapting to GitHub's API authentication best practices and security requirements.