When your enterprise is affected by a security incident, you can respond by preventing programmatic access to your enterprise or its organizations.
Available actions:
- Revoke SSO authorizations to remove access to SSO-protected organization resources for user credentials in your enterprise.
- Delete keys and tokens to remove user tokens and SSH keys in your enterprise, even if they don't have an SSO authorization (Enterprise Managed Users only).
In the "Authentication security" section of your enterprise settings, you can review counts for user tokens and keys that are authorized for single sign-on (SSO). Then, if needed, you can take action against credentials:
- For individual members: Revoke SSO authorizations or delete credentials for a specific user when responding to a targeted incident or performing routine access cleanup.
- For all members (bulk action): Take bulk action to revoke SSO authorizations or delete credentials across all members when responding to a major security incident.
Accessing the authentication security page
- Navigate to your enterprise. For example, from the Enterprises page on GitHub.com.
- At the top of the page, click Settings.
- In the left sidebar, click Authentication security.
Reviewing credentials
In the "Credentials" section, you can view how many credentials of each type have at least one SSO authorization for an organization in your enterprise. For more information, see About authentication with single sign-on.
The counts include:
- Fine-grained personal access tokens
- Personal access tokens (classic)
- User SSH keys
- GitHub App and OAuth app user access tokens
An exact count is displayed if there are 10,000 or fewer of a token type. Above that figure, the description 10k+ tokens is displayed.
Understanding the available actions
The following sections describe what each action does, which SSO authorizations or credentials are impacted, and related audit log events.
Note
If your enterprise does not use Enterprise Managed Users and has not enabled SAML SSO, neither of these actions is available. As an alternative, if you need users to replace personal access tokens as part of your incident response, you can configure an enterprise policy to expire all personal access tokens. See Enforcing policies for personal access tokens in your enterprise.
Revoke SSO authorizations
This action is available for Enterprise Managed Users or enterprises that use SAML SSO.
Revoking authorizations removes SSO authorizations for user tokens and SSH keys, either for a specific user or across all organizations in your enterprise.
- Credentials that have had SSO authorizations revoked cannot be re-authorized for the affected organizations. To restore access, users must create new credentials and authorize them.
- The credentials themselves are not deleted, and their permissions for the user and enterprise scopes, and for non-SSO-protected organizations, remain active.
- Credentials that have not been authorized for SSO are not affected.
Authorization for fine-grained personal access tokens works differently, so this action has a different effect on this token type. For fine-grained PATs where an organization is the "resource owner," the resource owner is removed, removing access to organization resources. Users can change the resource owner back to the organization account, which may require approval (see Enforcing policies for personal access tokens in your enterprise).
Delete keys and tokens
This action is available for Enterprise Managed Users only.
Deleting keys and tokens removes credentials that have access to your enterprise, either for a specific user or for all users, regardless of whether they are authorized for SSO. The credentials stop working and are no longer visible in the UI.
To restore programmatic access, users must create new credentials, authorize them with organizations if required, and update affected processes to use the new credentials.
Included credentials
Both actions include the following credential types:
- User SSH keys
- OAuth apps user access tokens (
ghu_) - GitHub App user access tokens
- Personal access tokens (classic)
- Fine-grained personal access tokens
Note that the "revoke authorizations" action works differently for fine-grained personal access tokens, as explained above.
The following credential types are not affected:
- GitHub App installation tokens (
ghs_) - Fine-grained personal access tokens
- Deploy keys
- GitHub Actions
GITHUB_TOKENaccess
Audit and security log events
The "revoke authorizations" action generates the following events:
org_credential_authorization.deauthorizeorg_credential_authorization.revokepersonal_access_token.access_revoked
The "delete tokens" action also generates those events, and additionally generates the following events:
oauth_access.destroypersonal_access_token.destroy
Taking action against individual members
You can revoke SSO authorizations or delete credentials for a specific user. This is useful for responding to incidents affecting individual accounts, such as a compromised account or lost hardware, or for routine access cleanup.
Revoking authorizations for a specific user
- Navigate to your enterprise. For example, from the Enterprises page on GitHub.com.
- At the top of the page, click Settings.
- In the left sidebar, click Authentication security.
- In the "Danger zone" section, click Revoke for ▼, then click A specific user.
- Select the user whose authorizations you want to revoke.
- To confirm, type
USERNAME credentials(replacingUSERNAMEwith the user's username). - Click Revoke authorizations.
Deleting credentials for a specific user
This action is available for Enterprise Managed Users only.
- Navigate to your enterprise. For example, from the Enterprises page on GitHub.com.
- At the top of the page, click Settings.
- In the left sidebar, click Authentication security.
- In the "Danger zone" section, click Delete for ▼, then click A specific user.
- Select the user whose credentials you want to delete.
- To confirm, type
USERNAME credentials(replacingUSERNAMEwith the user's username). - Click Delete keys and tokens.
Taking bulk action against all members
Use the Danger zone bulk action buttons to respond to a major security incident by taking action against all members of your enterprise.
Warning
Bulk actions are high-impact actions that should be reserved for major security incidents. They are likely to break automations, and it could take months of work to restore your original state.
Revoking authorizations for all members
- Navigate to your enterprise. For example, from the Enterprises page on GitHub.com.
- At the top of the page, click Settings.
- In the left sidebar, click Authentication security.
- In the "Danger zone" section, click Revoke for ▼, then click All users.
- Read the warning about the impact of this action.
- To confirm, type the name of your enterprise.
- Click Revoke authorizations.
Deleting credentials for all members
This action is available for Enterprise Managed Users only.
- Navigate to your enterprise. For example, from the Enterprises page on GitHub.com.
- At the top of the page, click Settings.
- In the left sidebar, click Authentication security.
- In the "Danger zone" section, click Delete for ▼, then click All users.
- Read the warning about the impact of this action.
- To confirm, type the name of your enterprise.
- Click Delete keys and tokens.
Resources for smaller-scale responses
The following articles describe alternative actions for managing incidents that are smaller in scope, where you can identify specific compromised tokens or user accounts.
- Identifying audit log events performed by an access token
- Remediating a leaked secret in your repository
- Revocation in the REST API documentation