Personal Access Token returns 401 with ‘bad credentials’

Question

The personal access token I was using is not left idle for at least 1 year and is still visible under my account (which I suppose it means it wasn't deleted by itself). But when I use it, it returns 401 with text 'bad credentials'.

Is there a hidden expiring period for the personal access token by default? The token itself hasn't been created for a year (it is created about 2~3 months ago) so there's no way for it to be idle for a year. The token works fine back then but it stops working recently.

BTW, after regenerating the token and replace the old one with the new one, the problem is fixed. Just want to know how can I prevent this from happening again.

Answer 1

This post on the community forums has a list provided by GitHub Support that mentions the possible reasons that a token could become invalid.

• the token was manually revoked by the user, either via the UI or the API
• the token was manually revoked by the OAuth application it was created for, either via the UI or the API
• the token was automatically revoked by GitHub because it has not been used for over a year
• the token was automatically revoked by GitHub because it was pushed to a public repository – see https://github.com/blog/1956-keeping-github-oauth-tokens-safe (this will happen only for tokens that have some scopes attached, it will not happen for scopeless tokens)
• the token was automatically revoked by GitHub because the OAuth application it was created for reached the limit for the number of tokens for a specific user and set of scopes – see https://developer.github.com/v3/oauth/#multiple-tokens