How to revoke a gho_* token?

[datosh]

Select Topic Area

Question

Body

I accidentally leaked a token issued for one of my Authorized OAuth Apps. Is there any way (via WebUI or API) to revoke only the specific token, without revoking the whole OAuth App?

The Token expiration and revocation documentation talks about a few options, but none fit here:

1. Tokens are revoked when pushed to a public repo or gist: I don't want to tempt fate and spread my leaked token further.
2. Token revoked by the user: Only explains how to revoke the whole app.
3. Revoke by the app owner: I am just a user.

[gabrielfrimodig]

Navigate to Settings > Applications > Authorized OAuth Apps and from there see a list of authorized tokens and a Revoke option next to it.

[datosh]

I don't see a lit of tokens on that page. Could you provide a link and/or screenshot to guide me there?

When I follow the path you provided it only lists a number of apps, not the individual tokens for each.
I do concede that it is possible to revoke the app, but as specified in my question I would like to only revoke a single for token, not the whole app.

[yashksaini-coder]

You can easily delete a github_token. At the left hand upper corner you will see a Revoke All option that will revoke all the github tokens immediately. It will require user passowrd input.

[datosh]

This page only lists personal access tokens, which are prefixed with ghp_, as documented here.

I am specifically looking for OAuth App tokens which have a gho_ prefix.

[shan-weiqiang]

Hav you solved the problem yet? i have the same problem, where i have a gho_ prefixed token and it have access to my github account. However, i can not find anyway to revoke it on github settings. This is very dangerous, since there might be any other tokens that are out of control by myself.

[datosh]

Sadly, I was not able to find a solution to revoke a single token, @shan-weiqiang
As described in my main post, the only workflow that works is to delete the whole OAuth app, then re-create it.

[robbycuenot]

I am facing this same issue for one of my orgs -- a gho_ token was leaked, and potentially several others. However, I cannot find a way to list these within the UI or API

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬