Revocation
Use the REST API to revoke credentials that you have found exposed on GitHub or elsewhere.
Revoke a list of credentials
Submit a list of credentials to be revoked. This endpoint is intended to revoke credentials the caller does not own and may have found exposed on GitHub.com or elsewhere. Credential owners will be notified of the revocation.
This endpoint currently accepts the following credential types:
- classic personal access tokens
- fine-grained personal access tokens
To prevent abuse, this API is limited to 60 authenticated requests per hour and a max of 1000 tokens per API request.
Fine-grained access tokens for "Revoke a list of credentials"
This endpoint works with the following fine-grained token types:
- GitHub App user access tokens
- GitHub App installation access tokens
- Fine-grained personal access tokens
The fine-grained token does not require any permissions.
Parameters for "Revoke a list of credentials"
| Name, Type, Description |
|---|
accept string Setting to |
| Name, Type, Description |
|---|
credentials array of strings RequiredA list of credentials to be revoked, up to 1000 per request. |
HTTP response status codes for "Revoke a list of credentials"
| Status code | Description |
|---|---|
202 | Accepted |
422 | Validation failed, or the endpoint has been spammed. |
500 | Internal Error |
Code samples for "Revoke a list of credentials"
Request example
curl -L \
-X POST \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
-H "X-GitHub-Api-Version: 2022-11-28" \
http(s)://HOSTNAME/api/v3/credentials/revoke \
-d '{"credentials":["ghp_1234567890abcdef1234567890abcdef12345678","ghp_abcdef1234567890abcdef1234567890abcdef12"]}'Accepted
Status: 202