Publish Personal API Token GitHub API
As per this link, there is a scope for OAuth tokens that appears to only provide access to public GitHub resources.
(no scope): Provides read-only access to public information (includes user profile information, shared repository information, and data)
Is it still unsafe to include this access token in your JavaScript client-side code?
source to share
VonC's answer is correct, but the main risk of making a public token is missing:
An attacker could deliberately abuse your token, which could void your API quota or could lead to your token or GitHub account being blocked.
Find below the answer I got from GitHub support:
The publication of such a fuzzy token is unsafe in the sense that the token can only be used to obtain information that is already publicly available - it cannot be used to obtain any personal data and cannot be used to modify any data.
However, you may consider it insecure in the sense that all of your tokens use the same GitHub API quota ( https://developer.github.com/v3/#rate-limiting ). So, if someone takes your token and makes a lot of API requests with it, they will drain their quota and all your tokens and applications that you authorized will have to wait until the quota is updated.
In addition, if such a person makes a lot of API requests in a short period of time with your token, they can cause abuse restrictions ( https://developer.github.com/guides/best-practices-for-integrators/#dealing- with-abuse-rate-limits ) and if they don't slow down, we may need to block this token or the entire account to prevent further problems on our end (and for other users).
source to share
It's not safe, you just need to recognize the management aspect.
If your account is deleted for any reason, or if you revoke the token, it will become invalid, meaning any user of your client-side Javascript code will experience crashes until you post an update.
So you can see this approach (including the "scaled" PAT) used in this repo for example .
source to share