GitHub deprecation notice for authentication explained

How to deal with the recent messaging from GitHub regarding their deprecation of authentication via URL query parameters

- Chris Pook, 18th February 2020

The problem

You may have recently received a similar notification from GitHub to that shown here, regarding the deprecation of their authentication via URL query parameters method. This is something you'll encounter when using the GitHub API to access repositories. You will also be seeing these when using Composer to install some repositories directly from GitHub.

This is something that you will need to address on any environment which requires access to the GitHub API.

[GitHub API] Deprecation notice for authentication via URL query parameters

On February 18th, 2020 at 10:44 (UTC) your personal access token was used as part of a query parameter to access an endpoint through the GitHub API.

The solution

As the authentication via URL query parameters method is deprecated you'll need to use a different method to authenticate. Luckily GitHub also allows for authentication via HTTP header, which is now the brest-practise option.

So, if you're currently making a GitHub API call similar to:

curl ""

Instead, you should send the token in the header:

curl -H 'Authorization: token my_access_token'

What if I don't control the API authentication?

If the GitHub API usage is embedded in an app that you are using but don't have control of the source code for, you will need to contact the vendor to ensure they are taking steps to mitigate this issue.

If you are experiencing the issue with use of Composer you can now upgrade to Composer 1.9.3 which uses the HTTP header method for authentication. Please see the release details here:


This is a deprecation that could have a major impact on your workflows so needs to be taken seriously. However the steps needed to avoid further issues are simple and will provide better security in the long run.

Depending on your API usage, GitHub will be sending you the email reminder on a monthly basis for each token and User-Agent used in API calls made on your behalf. Just one URL that was accessed with a token and User-Agent combination will be listed in the email reminder, not all. Make sure you have covered off all of the potential points of failure by addressing each notification to check the environments affected.

For more information about suggested workarounds and removal dates you can visit this link:

location icon

Visit us

Mainyard Studios
35 Bow Rd, London E3 2AD