API for determining Personal Access Token scopes?

Is there a way to retrieve the current scopes for a Personal Access Token (PAT)?

Use Case :

As an organization owner, I want to know the scopes currently granted to a PAT for a member of my organization that has been leaked.

Thanks,

–Hal

1 Like

Got the answer from Ivan support:

If it hadn’t been revoked, you could have figured our which scopes it has by making any API call with that token (https://developer.github.com/v3/#authentication) and then looking at the X-OAuth-Scopes response header. That header tells you which scopes the token has.

I’ve spent so much time staring at JSON that I forgot about the HTTP headers. /o\

Thanks, Ivan!

3 Likes

The issue is that if you change the scope of the API after creating it the headers do not update!

@yakov116 – if you’re seeing that behavior, that would be a separate bug that should be reported. I rarely change scopes, so have not encountered this.