Reputation: 23
Using GitHub access token publicly
I need to use GitHub access token publicly but somehow restrict it to my site.
The use case: I have created a portfolio web page that pulls some information from Github. Some of the information I need require an access token. I can generate an access token and use it with the fetch requests to get the info, however, it's not secure to do it this way as the access token would be visible to public users. So I'm wondering if there is a way to restrict the use of the access token to the domain, IP address, or maybe there is another way to authenticate requests without an access token?
Edit: It seems like GitHub allows users to create a PAT with no access and users would still be able to authenticate. Though a slightly different question, would publishing such a token be a problem?
Upvotes: 2
Views: 605
Answers (1)
Reputation: 76964
The best way to do this is to have some sort of backend server that stores your access token and uses it to present the data. That way, your token will remain secure and you won't need to expose it to others, but you can still fetch the data (and cache it) to present to the user.
There's no way to do this securely with a static website.
Publishing any sort of token, even one with no privileges, still exposes the token to be stolen. That would count against your rate limit, and if it's used to make expensive requests that cause a DoS, then your account would be responsible for it.
Upvotes: 3
Related Questions
- How to access GitHub via Personal Access Token in URL
- Personal Access Token
- using Github personal access token on a public website
- GitHub can't use personal access token
- How to correctly use GitHub's authentication token?
- How to allow a public app to connect to the GitHub API v4 without an access token?
- API access to GitHub organisation repo using personal access token
- Get a token by Github API
- Github GET on private repo with access token
- Personal Access token in Gist