You can now revoke an exposed GitHub personal access token (PAT) you found outside of repositories, even if it’s not yours, to help quickly limit the impact of the exposure and improve the security of the software ecosystem.

If you find classic or fine grained PATs on GitHub or elsewhere, you can submit a bulk revocation request using the new Credential Revocation REST API. If the API receives a valid token, it automatically revokes the token and logs the revocation in the token owner’s audit log. If the exposed token was granted access to a GitHub organization, it will no longer have access to the organization.

A screenshot of the user's audit log event, titled "oauth_access.revoke".

It also notifies the token owner of the revocation through an email sent to the primary email address associated with the owner’s GitHub user account:

A screenshot of an email titled "Action needed: Personal access token was revoked"

This is an unauthenticated API and is available for all users on github.com. To prevent abuse, this API is limited to only 60 unauthenticated requests per hour and a max of 1000 tokens per API request.

Learn more in our documentation on best practices for revoking exposed tokens.