{"meta":{"title":"Use GITHUB_TOKEN for authentication in workflows","intro":"Learn how to use the GITHUB_TOKEN to authenticate on behalf of GitHub Actions.","product":"GitHub Actions","breadcrumbs":[{"href":"/en/actions","title":"GitHub Actions"},{"href":"/en/actions/tutorials","title":"Tutorials"},{"href":"/en/actions/tutorials/authenticate-with-github_token","title":"Authenticate with GITHUB_TOKEN"}],"documentType":"article"},"body":"# Use GITHUB_TOKEN for authentication in workflows\n\nLearn how to use the GITHUB_TOKEN to authenticate on behalf of GitHub Actions.\n\nThis tutorial leads you through how to use the `GITHUB_TOKEN` for authentication in GitHub Actions workflows, including examples for passing the token to actions, making API requests, and configuring permissions for secure automation.\n\nFor reference information, see [Workflow syntax for GitHub Actions](/en/actions/reference/workflow-syntax-for-github-actions#permissions).\n\n## Using the `GITHUB_TOKEN` in a workflow\n\nYou can use the `GITHUB_TOKEN` by using the standard syntax for referencing secrets: `${{ secrets.GITHUB_TOKEN }}`. Examples of using the `GITHUB_TOKEN` include passing the token as an input to an action, or using it to make an authenticated GitHub API request.\n\n> \\[!IMPORTANT]\n> An action can access the `GITHUB_TOKEN` through the `github.token` context even if the workflow does not explicitly pass the `GITHUB_TOKEN` to the action. As a good security practice, you should always make sure that actions only have the minimum access they require by limiting the permissions granted to the `GITHUB_TOKEN`. For more information, see [Workflow syntax for GitHub Actions](/en/actions/reference/workflow-syntax-for-github-actions#permissions).\n\n### Example 1: passing the `GITHUB_TOKEN` as an input\n\nThis example workflow uses the [GitHub CLI](/en/actions/using-workflows/using-github-cli-in-workflows), which requires the `GITHUB_TOKEN` as the value for the `GH_TOKEN` input parameter:\n\n```yaml copy\nname: Open new issue\non: workflow_dispatch\n\njobs:\n  open-issue:\n    runs-on: ubuntu-latest\n    permissions:\n      contents: read\n      issues: write\n    steps:\n      - run: |\n          gh issue --repo ${{ github.repository }} \\\n            create --title \"Issue title\" --body \"Issue body\"\n        env:\n          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n```\n\n### Example 2: calling the REST API\n\nYou can use the `GITHUB_TOKEN` to make authenticated API calls. This example workflow creates an issue using the GitHub REST API:\n\n```yaml\nname: Create issue on commit\n\non: [ push ]\n\njobs:\n  create_issue:\n    runs-on: ubuntu-latest\n    permissions:\n      issues: write\n    steps:\n      - name: Create issue using REST API\n        run: |\n          curl --request POST \\\n          --url https://api.github.com/repos/${{ github.repository }}/issues \\\n          --header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}' \\\n          --header 'content-type: application/json' \\\n          --data '{\n            \"title\": \"Automated issue for commit: ${{ github.sha }}\",\n            \"body\": \"This issue was automatically created by the GitHub Action workflow **${{ github.workflow }}**. \\n\\n The commit hash was: _${{ github.sha }}_.\"\n            }' \\\n          --fail\n```\n\n## Modifying the permissions for the `GITHUB_TOKEN`\n\nUse the `permissions` key in your workflow file to modify permissions for the `GITHUB_TOKEN` for an entire workflow or for individual jobs. This allows you to configure the minimum required permissions for a workflow or job. As a good security practice, you should grant the `GITHUB_TOKEN` the least required access.\n\nTo see the list of permissions available for use and their parameterized names, see [Managing your personal access tokens](/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token#account-permissions).\n\nThe two workflow examples earlier in this article show the `permissions` key being used at the job level.\n\n## Granting additional permissions\n\nIf you need a token that requires permissions that aren't available in the `GITHUB_TOKEN`, create a GitHub App and generate an installation access token within your workflow. For more information, see [Making authenticated API requests with a GitHub App in a GitHub Actions workflow](/en/apps/creating-github-apps/guides/making-authenticated-api-requests-with-a-github-app-in-a-github-actions-workflow). Alternatively, you can create a personal access token, store it as a secret in your repository, and use the token in your workflow with the `${{ secrets.SECRET_NAME }}` syntax. For more information, see [Managing your personal access tokens](/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) and [Using secrets in GitHub Actions](/en/actions/security-guides/using-secrets-in-github-actions).\n\n## Next steps\n\n* [GITHUB\\_TOKEN](/en/actions/concepts/security/github_token)\n* [Workflow syntax for GitHub Actions](/en/actions/reference/workflow-syntax-for-github-actions#permissions)"}