GitHub API oauth

I am building an app that scans repos, public and private. I am using the oauth token authentication and have been testing this for weeks using public repos and my own repos for scanning non-public repos. The retrieval of my private repos has been working fine, until yesterday, when the API suddenly started returning only my public repos. I verified this with curl. I also went to github and invalidated all the tokens and re-authorized to get a fresh token - same result. The docs say that tokens don’t expire, but tokens become invalid based on certain conditions (like abuse or putting a token on a public repo). I have not, to my knowledge, violated any of those conditions, and have received no notification, yet the same calls that yesterday returned all of my repos, now only return my public ones.

I checked my auth level with:

curl -H “Authorization: token ###my-token-here#######” “https://api.github.com/users/smelehy” -I
HTTP/1.1 200 OK
Date: Wed, 07 Oct 2020 15:20:50 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 1594
Server: GitHub.com
Status: 200 OK
Cache-Control: private, max-age=60, s-maxage=60
Vary: Accept, Authorization, Cookie, X-GitHub-OTP
ETag: “cab48cea7fe5a63d2ddacbb280069188707bfa46f47078291680bed1ecd450cd”
Last-Modified: Wed, 07 Oct 2020 02:03:04 GMT
X-OAuth-Scopes: repo, user
X-Accepted-OAuth-Scopes:
X-OAuth-Client-Id: xxxxxxxxxxxxxx
X-GitHub-Media-Type: github.v3; format=json
X-RateLimit-Limit: 5000
X-RateLimit-Remaining: 4999
X-RateLimit-Reset: 1602087650
X-RateLimit-Used: 1
Access-Control-Expose-Headers: ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, Deprecation, Sunset
Access-Control-Allow-Origin: *
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Frame-Options: deny
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
Content-Security-Policy: default-src ‘none’
Vary: Accept-Encoding, Accept, X-Requested-With
Vary: Accept-Encoding
X-GitHub-Request-Id: 8B3C:7664:CFC4C:103380:5F7DDCD2

curl call that before yesterday returned all my repos and now only returns public ones:

curl -H “Authorization: token ##########my-token-here###############” “###same-url-as-above##” plus “/repos”.

I am out of things to try at this point.

This is resolved. Turns out that my code was using a slightly different api url than I realized. You can’t use the same url to retrieve public repos and authenticated priviate repos.

return public repos: GET /users/:username/repos
private repos: GET /user/repos (have to have authenticated header with token go with this)