diff --git a/content/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-with-a-github-app-on-behalf-of-a-user.md b/content/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-with-a-github-app-on-behalf-of-a-user.md index 8211074a5189..3b1f6859dff2 100644 --- a/content/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-with-a-github-app-on-behalf-of-a-user.md +++ b/content/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-with-a-github-app-on-behalf-of-a-user.md @@ -31,6 +31,8 @@ Once a user has authorized your app, you can generate a user access token, which Requests made with a user access token are sometimes called "user-to-server" requests. +{% data reusables.user-settings.token_access_capabilities %} + If you want to attribute app activity to the app instead of to a user, you should authenticate as an app installation instead. For more information, see "[AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-as-a-github-app-installation)." {% note %} diff --git a/content/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps.md b/content/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps.md index 0ef9d216e129..2fc769074620 100644 --- a/content/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps.md +++ b/content/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps.md @@ -51,6 +51,8 @@ When you want to use an {% data variables.product.prodname_oauth_app %} that int {% endtip %} +{% data reusables.user-settings.token_access_capabilities %} For example, an application can create an access token that is configured with an `admin:org` scope, but if the user of the application is not an organization owner, the application will not be granted administrative access to the organization. + {% data reusables.apps.oauth-token-limit %} ### Types of requested data diff --git a/content/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens.md b/content/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens.md index 7250ba99230f..bcb828b3b7ad 100644 --- a/content/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens.md +++ b/content/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens.md @@ -33,6 +33,8 @@ For more information, see "[Keeping your {% data variables.product.pat_generic % {% data variables.product.pat_generic_caps %}s are intended to access {% data variables.product.company_short %} resources on behalf of yourself. To access resources on behalf of an organization, or for long-lived integrations, you should use a {% data variables.product.prodname_github_app %}. For more information, see "[AUTOTITLE](/apps/creating-github-apps/setting-up-a-github-app/about-creating-github-apps)." +{% data reusables.user-settings.token_access_capabilities %} For example, a {% data variables.product.pat_generic %} can be configured with an `admin:org` scope, but if the owner of the token is not an organization owner, the token will not give administrative access to the organization. + {% ifversion pat-v2 %} ### Types of {% data variables.product.pat_generic %}s diff --git a/content/rest/authentication/keeping-your-api-credentials-secure.md b/content/rest/authentication/keeping-your-api-credentials-secure.md index 04e2511b29d4..a1753dab1b05 100644 --- a/content/rest/authentication/keeping-your-api-credentials-secure.md +++ b/content/rest/authentication/keeping-your-api-credentials-secure.md @@ -34,6 +34,8 @@ When creating a {% data variables.product.pat_generic %}, only select the minimu {% endif %} +{% data reusables.user-settings.token_access_capabilities %} + When creating a {% data variables.product.prodname_github_app %}, select the minimum permissions that your {% data variables.product.prodname_github_app %} will need. For more information, see "[AUTOTITLE](/apps/creating-github-apps/setting-up-a-github-app/best-practices-for-creating-a-github-app)." When authenticating with `GITHUB_TOKEN` in a {% data variables.product.prodname_actions %} workflow, only give the minimum amount of permissions needed. For more information, see "[AUTOTITLE](/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token)." diff --git a/data/reusables/user-settings/token_access_capabilities.md b/data/reusables/user-settings/token_access_capabilities.md new file mode 100644 index 000000000000..5ecd623d8581 --- /dev/null +++ b/data/reusables/user-settings/token_access_capabilities.md @@ -0,0 +1 @@ +A token has the same capabilities to access resources and perform actions on those resources, that the owner of the token has, and is further limited by any scopes or permissions granted to the token. A token cannot grant additional access capabilities to a user.