¶ OAuth Scopes supported by Github
Update Time: 2026-03-25 09:13:34
When initiating a Github login, you can request the user to grant the required Gtihub permissions by specifying the scope parameter. If the user agrees to the permissions contained in the scope, Github Access Token will have the appropriate permissions. If the user denies certain permissions, Github Access Token cannot be used to access the API corresponding to Github.
When you specify scope when configuring a connection, Github displays the selected permissions on the Github confirmation page for confirmation.
If your application does not have a browser environment for end users to confirm authorization, you do not need to select any scope, see more Authorizing OAuth apps (opens new window).
You can carry Token to send a Head request to the relevant Github API to see what scope it needs:
$ curl -H "Authorization: token OAUTH-TOKEN" https://api.github.com/users/codertocat -I
HTTP/2 200
X-OAuth-Scopes: repo, user
X-Accepted-OAuth-Scopes: user
- X-OAuth-Scopes:the scope of the current token。
- X-Accepted-OAuth-Scopes:the scope required by this API。
¶ The role of Scopes
| Name | Description |
|---|---|
(no scope) | Grant read-only access to public information (including user profile information, public warehouse information, and gist) ) |
repo | Grant full authority over warehouses (including private warehouses). This includes read/write permissions for warehouse and organization code, submission status, warehouse and organization projects, invitations, collaborators, adding team membership, deployment status, and warehouse webhooks. Permissions are also granted to manage user items. |
| repo:status | Gives read/write permission to submit status in public and private warehouses. This scope only needs to grant other users or services permission to submit status to the private repository, not to the code. |
| repo_deployment | Grant access to the deployment status (opens new window) of private and public warehouses. This scope only needs to grant other users or services access to the deployment status, not to the code. |
| public_repo | Restrict access to public warehouses. This includes read/write access to code, commit status, warehouse projects, collaborators, and deployment status for public warehouses and organizations. This permission is also required for public warehouses containing stars. |
repo:invite | Grant permission to accept/reject warehouse collaboration invitations. This scope only needs to grant access to other users or services, not to code. |
| security_events | Reads and writes to secure events in the code scan API (opens new window) and reads and writes to secure events in the password scan API (opens new window). This scope only needs to grant other users or services access to security events, not to the code. |
admin:repo_hook | Read, write, ping, and delete permissions are granted to warehouse hooks in public or private warehouses. repo and public_repo scopes grant full access to warehouses, including warehouse hooks. Use admin:repo_hook scope limits access to warehouse hooks only. |
| write:repo_hook | Gives read, write, and ping rights to hooks in public or private warehouses. |
| read:repo_hook | Reads and pings are granted to hooks in public or private warehouses. |
admin:org | Comprehensively manage the organization and its teams, projects, and members. |
| write:org | Read and write permissions to organization membership, organization projects, and team membership. |
| read:org | Read-only permissions to organization membership, organization projects, and team membership. |
admin:public_key | Comprehensively manage the public key. |
| write:public_key | Create, list, and view details of the public key. |
| read:public_key | Lists and views the details of the public key. |
admin:org_hook | Gives read, write, ping, and delete permissions to the organization hooks. Note: OAuth tokens can only do this for organizations hooks created by OAuth applications. Personal access tokens can only perform these actions on user-created organization hooks. |
gist | Writes to gist are granted. |
notifications | Grant read permissions to user notifications, mark threads as read permissions, focus and unfollow permissions to warehouses, and read, write, and delete permissions to thread subscriptions. |
user | Only read/write permissions are granted for profiles. Note that this scope includes user: email and user: follow. |
| read:user | Grant permissions to read user profile data. |
| user:email | Grant read permission to user email addresses. |
| user:follow | Grant or deactivate attention to other users. |
delete_repo | Grant permission to delete a manageable warehouse. |
write:discussion | Gives read and write permissions to team discussions. |
| read:discussion | Gives read permissions to team discussions. |
write:packages | Grants permission to upload or publish packages in GitHub Packages. |
read:packages | Grants permission to download or install packages from GitHub Packages. |
delete:packages | Grants permission to remove packages from GitHub Packages. |
admin:gpg_key | Comprehensive management of GPG keys. |
| write:gpg_key | Create, list, and view GPG key details. |
| read:gpg_key | Lists and views details of the GPG key. |