17

Is there any way to validate my OAuth token for the github API? By 'token' I mean the one I get after the user has logged in to my website. I store it on the client computer using cookies, but just checking if there is a token is not enough: I need to actually check if the token is valid or not. Currently this requires me to make a request for information and then catching the errors. However, this is really damaging my rates and also my load speed as the github API is sloooow... I am using Node.js, express and the octonode library.

I tried looking at the github API docs, but they are minimal. Maybe this is to do with OAuth.

Improve this question
3
  • 8
    Will this endpoint meet your needs? If the token exists and is associated with your OAuth application, this endpoint returns an HTTP 200 response and the body contains the token details. Otherwise, this endpoint returns an HTTP 404 response. Commented Mar 17, 2014 at 13:56
  • Hello, I have tried what you said but every time I get a 404. Can you show an example of a request using curl? This is what I am doing: curl -u client_id:client_secret https://github.com/applications/client_id/tokens/token_to_check Commented Apr 1, 2014 at 11:56
  • 1
    Never mind, figured it out myself. Just forgot to put the api.github.com at the front. Thats the only problem with having the server send a 404, lol, you can't tell if its a legit 404 or your token is invalid. Thanks for your help :) Commented Apr 1, 2014 at 12:26

4 Answers 4

Reset to default
13

Check headers to see what OAuth scopes you have, and what the API action accepts:

curl -H "Authorization: token OAUTH-TOKEN" https://api.github.com/users/codertocat -I

HTTP/1.1 200 OK
X-OAuth-Scopes: repo, user
X-Accepted-OAuth-Scopes: user
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Very good, valid token can be also verified by x-ratelimit-limit: 5000 response header (invalid token has much lower limit like 60)
This API endpoint is much bulkier than the requirement's need and returns a large response. See my answer below for an efficient API method that only verifies the token.
7

From the Github API docs on authorizations:

OAuth applications can use a special API method for checking OAuth token validity without running afoul of normal rate limits for failed login attempts.

Authentication works differently with this particular endpoint. You must use Basic Authentication when accessing it, where the username is the OAuth application client_id and the password is its client_secret. Invalid tokens will return 404 NOT FOUND.

You can do this with curl:

curl -u client_id:client_secret https://api.github.com/applications/:client_id/tokens/:token

Or, if using fetch, use Curl to Fetch.

This is compiled from the helpful comments on the OP's question.

Improve this answer

3 Comments

The Endpoint for changing the token has changed: See docs.github.com/en/[email protected]/rest/reference/…
Does someone know the API resource to validate the Stackoverflow OAuth token?
This endpoint returns 404 and the link to the docs is redirected per Jonas's comment
5 
curl -H "Authorization: <TOKEN>" https://api.github.com/

Or

curl https://api.github.com/ -u <USERNAME>:<TOKEN>
Improve this answer

1 Comment

These two methods always return 200 regardless of whether the API token is made up or valid.
0

Checking a token has a new endpoint:

curl -L \
  -X POST \
  -H "Accept: application/vnd.github+json" \
  -u "$client_id:$client_secret" \
  -H "X-GitHub-Api-Version: 2022-11-28" \
  "https://api.github.com/applications/$client_id/token" \
  -d '{"access_token":"e72e16c7e42f292c6912e7710c838347ae178b4a"}'
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.