»GitHub Auth Method

The github auth method can be used to authenticate with Vault using a GitHub personal access token. This method of authentication is most useful for humans: operators or developers using Vault directly via the CLI.


»Via the CLI

The default path is /github. If this auth method was enabled at a different path, specify -path=/my-path in the CLI.

$ vault login -method=github token="MY_TOKEN"
$ vault login -method=github token="MY_TOKEN"

»Via the API

The default endpoint is auth/github/login. If this auth method was enabled at a different path, use that value instead of github.

$ curl \
    --request POST \
    --data '{"token": "MY_TOKEN"}' \
$ curl \    --request POST \    --data '{"token": "MY_TOKEN"}' \

The response will contain a token at auth.client_token:

  "auth": {
    "renewable": true,
    "lease_duration": 2764800,
    "metadata": {
      "username": "my-user",
      "org": "my-org"
    "policies": ["default", "dev-policy"],
    "accessor": "f93c4b2d-18b6-2b50-7a32-0fecf88237b8",
    "client_token": "1977fceb-3bfa-6c71-4d1f-b64af98ac018"
{  "auth": {    "renewable": true,    "lease_duration": 2764800,    "metadata": {      "username": "my-user",      "org": "my-org"    },    "policies": ["default", "dev-policy"],    "accessor": "f93c4b2d-18b6-2b50-7a32-0fecf88237b8",    "client_token": "1977fceb-3bfa-6c71-4d1f-b64af98ac018"  }}


Auth methods must be configured in advance before users or machines can authenticate. These steps are usually completed by an operator or configuration management tool.

  1. Enable the GitHub auth method:

    $ vault auth enable github
    $ vault auth enable github
  2. Use the /config endpoint to configure Vault to talk to GitHub.

    $ vault write auth/github/config organization=hashicorp
    $ vault write auth/github/config organization=hashicorp

    For the complete list of configuration options, please see the API documentation.

  3. Map the users/teams of that GitHub organization to policies in Vault. Team names must be "slugified":

    $ vault write auth/github/map/teams/dev value=dev-policy
    $ vault write auth/github/map/teams/dev value=dev-policy

    In this example, when members of the team "dev" in the organization "hashicorp" authenticate to Vault using a GitHub personal access token, they will be given a token with the "dev-policy" policy attached.

    You can also create mappings for a specific user map/users/<user> endpoint:

    $ vault write auth/github/map/users/sethvargo value=sethvargo-policy
    $ vault write auth/github/map/users/sethvargo value=sethvargo-policy

    In this example, a user with the GitHub username sethvargo will be assigned the sethvargo-policy policy in addition to any team policies.


The GitHub auth method has a full HTTP API. Please see the GitHub Auth API for more details.