The REST API is now versioned. For more information, see "About API versioning."
Revocation
Use the REST API to revoke credentials that you have found exposed on GitHub or elsewhere.
Revoke a list of credentials
Submit a list of credentials to be revoked. This endpoint is intended to revoke credentials the caller does not own and may have found exposed on GitHub.com or elsewhere. Credential owners will be notified of the revocation.
This endpoint currently accepts the following credential types:
- Personal access tokens (classic) (
ghp_) - Fine-grained personal access tokens (
github_pat_) - OAuth app access tokens (
gho_) - User-to-server tokens from GitHub Apps (
ghu_) - Refresh tokens from GitHub Apps (
ghr_)
To prevent abuse, this API is limited to 60 authenticated requests per hour and a max of 1000 tokens per API request.
fine_grained_access
no_fine_grained_access
Parameters for "Revoke a list of credentials"
| Name, Type, Description |
|---|
accept string Setting to |
| Name, Type, Description |
|---|
credentials array of strings RequiredA list of credentials to be revoked, up to 1000 per request. |
http_status_code
| status_code | Description |
|---|---|
202 | Accepted |
422 | Validation failed, or the endpoint has been spammed. |
500 | Internal Error |
code_samples
request_example
post/credentials/revoke
curl -L \
-X POST \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
-H "X-GitHub-Api-Version: 2026-03-10" \
http(s)://HOSTNAME/api/v3/credentials/revoke \
-d '{"credentials":["ghp_1234567890abcdef1234567890abcdef12345678","github_pat_0A1B2C3D4E5F6G7H8I9J0K_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456","gho_1234567890abcdef1234567890abcdef12345678","ghu_1234567890abcdef1234567890abcdef12345678","ghr_1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890ab"]}'Accepted
Status: 202