LinuxCommandLibrary

gh-auth

Authenticate with GitHub

TLDR

Log in with interactive prompt

$ gh auth login
copy

Log in with a token from stdin (created in )
$ echo [your_token] | gh auth login --with-token
copy

Check if you are logged in
$ gh auth status
copy

Log out
$ gh auth logout
copy

Log in with a specific GitHub Enterprise Server
$ gh auth login [[-h|--hostname]] [github.example.com]
copy

Refresh the session to ensure authentication credentials have the correct minimum scopes (removes additional scopes requested previously)
$ gh auth refresh
copy

Expand the permission scopes
$ gh auth refresh [[-s|--scopes]] [repo,admin:repo_hook,admin:org,admin:public_key,admin:org_hook,...]
copy

SYNOPSIS

gh auth <command> [<flags>]

PARAMETERS

login
    Log in to GitHub with browser, token, or device flow

logout
    Log out from the GitHub account

status
    Show authentication status for current and configured accounts

setup-git
    Configure Git to use GitHub CLI as credential helper

refresh
    Refresh auth token to update expiration

token
    Print the access token for the logged-in account

switch
    Switch to a different authenticated account

--hostname
    Operate on a specific GitHub host (e.g., github.com)

--help
    Show help for the command

DESCRIPTION

The gh auth command is part of the GitHub CLI toolset, used to handle authentication with GitHub accounts. It supports logging in via browser-based OAuth flow, personal access tokens (PAT), or device authorization for headless environments. Once authenticated, it stores tokens securely and configures Git credential helpers for seamless repository interactions.

Key workflows include initial setup with gh auth login, checking status with gh auth status, and switching accounts via gh auth switch. It integrates with Git by setting up credential helpers, allowing passwordless pushes and pulls. Supports multiple hosts like github.com and GitHub Enterprise.

Tokens are stored in ~/.config/gh/hosts directories, encrypted on supported platforms. Refreshing or revoking tokens ensures security. Ideal for developers automating workflows, CI/CD, or multi-account setups. Requires GitHub CLI installation via package managers or binaries.

CAVEATS

Tokens stored unencrypted on some systems; use keychain on macOS/Windows. Multi-account support limited to host-specific configs. Requires network access for login.

COMMON FLAGS

Subcommands like login support --web (browser), --with-token (stdin token), --scopes (custom scopes).

EXAMPLES

gh auth login (interactive)
gh auth login --with-token <<< ghp_... (CI)
gh auth status --hostname enterprise.example.com

HISTORY

Introduced in GitHub CLI v0.5.0 (April 2020) as part of CLI rewrite from Go. Evolved with v2.0+ for better multi-host and token management. Maintained by GitHub engineering.

SEE ALSO

gh(1), git-credential(1), hub(1)

Copied to clipboard