Creating a Fine-Grained Token in Github

Author: Sean Barbour

Fine-grained tokens

In GitHub, fine-grained personal access tokens have several security advantages over personal access tokens (classic):

  • Each token can only access resources owned by a single user or organization.
  • Each token can only access specific repositories.
  • Each token is granted specific permissions, which offer more control than the scopes granted to personal access tokens (classic).
  • Each token must have an expiration date.
  • Organization owners can require approval for any fine-grained personal access tokens that can access resources in the organization.

Fine-grained tokens are repository-scoped tokens suitable for personal API use and for using Git over HTTPS.

Classic tokens

Personal access tokens (classic) are less secure. However, some features currently will only work with personal access tokens (classic):

  • Only personal access tokens (classic) have write access for public repositories that are not owned by you or an organization that you are not a member of.
  • Outside collaborators can only use personal access tokens (classic) to access organization repositories that they are a collaborator on.
  • Some REST API operations are not available to fine-grained personal access tokens. For a list of REST API operations that are supported for fine-grained personal access tokens, see “Endpoints available for fine-grained personal access tokens”.

If you choose to use a personal access token (classic), keep in mind that it will grant access to all repositories within the organizations that you have access to, as well as all personal repositories in your personal account.

As a security precaution, GitHub automatically removes personal access tokens that haven’t been used in a year. To provide additional security, we highly recommend adding an expiration to your personal access tokens.

We use a classic token for access to all repositories in order to be able to pull down changes (think Hot-fix).


Successfully create a token (fine-grained) for use during the installation of Alta3’s cloud infrastructure. This will allow read access to the selected repositories that need eyes on to complete installation and running of containers successfully.

  1. Go to

  2. Click your icon in the top right.

  3. Click Settings.

  4. Scroll down and click on developer settings

  5. Click Personal access tokens (which currently has a dropdown)

  6. Click on Fine-grained tokens

  7. Click Generate new token

  8. Confirm access with your passkey / github mobile / password

  9. Section I: New fine-grained personal access token

    image image

    • Token Name: enchilada-install-YYYY-MM-DD
    • Expiration: 90 days (default is 30 days)
    • Description: “token for downloading the following repos: labs, enchilada, alta3-ansible, infrastructure, gutenberg, demo”
    • Resource Owner: alta3 (default is your user)
    • Write: “Needed for enchilada installation on cloud” (gets sent with the request for access)
  10. Section II: Repository access

    image image

  11. Click the bubble Only select repositories

  12. Click the dropdown Select repositories, then select repos:

    • labs
    • alta3-ansible
    • enchilada
    • infrastructure
    • demo
    • gutenberg

    image image

  13. Section III: Permissions

  14. Click the dropdown for Repository Permissions

    image image

  15. Select Read-only for:

    • Contents
    • Metadata

    DO NOT Change any other access. After you do this, if you collapse the dropdown, the Repository permissions should look like this:

    image image

  16. Do not make any changes to the Organization permissions.

  17. Section IV: Overview

  18. At the end of the metadata for this token, You should see the following:

    image image

    • 2 permissions for 6 of your repositories
    • No change in permissions for your organization
    • The date the token will expire
  19. Click on Generate token and request access.

    The reason “and request access” is added onto the button is because you changed the Resource Owner to alta3.

  20. Send a message to one of the GitHub organization’s administrators, requesting they approve the token because you are about to install enchilada on a new cloud!!!

← Previous Next →