Credential revocation REST API endpoint (#55233)

jules-p · Copilot · am-stead · web-flow · commit 5862cadbad5b · 2025-04-29T17:56:04.000Z
Co-authored-by: Jules Porter &lt;jules-p@users.noreply.github.com&gt;
Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;
Co-authored-by: Anne-Marie &lt;102995847+am-stead@users.noreply.github.com&gt;
Co-authored-by: Greg Ose &lt;gregose@github.com&gt;
Co-authored-by: Sarita Iyer &lt;66540150+saritai@users.noreply.github.com&gt;
Co-authored-by: Usha N &lt;n-usha@github.com&gt;
diff --git a/content/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens.md b/content/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens.md
@@ -145,6 +145,9 @@ You should delete a {% data variables.product.pat_generic %} if it is no longer
 1. In the left sidebar, under **{% octicon "key" aria-hidden="true" %} {% data variables.product.pat_generic_caps %}s**, click either **Fine-grained tokens** or **Tokens (classic)**, depending on which type of {% data variables.product.pat_generic %} you'd like to delete.
 1. To the right of the {% data variables.product.pat_generic %} you want to delete, click **Delete**.
 
+{% ifversion ghec or fpt %}> [!NOTE] If you find a leaked {% data variables.product.pat_generic %} belonging to someone else, you can submit a revocation request through the REST API. See [AUTOTITLE](/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization#mitigate-data-leaks).
+{% endif %}
+
 ## Using a {% data variables.product.pat_generic %} on the command line
 
 Once you have a {% data variables.product.pat_generic %}, you can enter it instead of your password when performing Git operations over HTTPS.
diff --git a/content/authentication/keeping-your-account-and-data-secure/token-expiration-and-revocation.md b/content/authentication/keeping-your-account-and-data-secure/token-expiration-and-revocation.md
@@ -45,6 +45,18 @@ You can revoke your authorization of a {% data variables.product.prodname_github
 
 Once an authorization is revoked, any tokens associated with the authorization will be revoked as well. To reauthorize an application, follow the instructions from the third-party application or website to connect your account on {% data variables.product.prodname_dotcom %} again.
 
+{% ifversion fpt or ghec %}
+
+## Token revoked by a third party
+
+To prevent unauthorized access using exposed tokens, {% data variables.product.github %} recommends token revocation to ensure that a token can no longer be used to authenticate to {% data variables.product.github %}. If you find another user's {% data variables.product.pat_generic %} leaked on {% data variables.product.github %} or elsewhere, you can submit a revocation request through the REST API. See [AUTOTITLE](/rest/credentials/revoke#revoke-a-list-of-credentials).
+
+If a valid {% data variables.product.pat_generic %} is submitted to {% data variables.product.github %}'s credential revocation API, the token will be automatically revoked. This API allows a third party to revoke a token they do not own and helps protect the data associated with this token from unauthorized access, limiting the impact of exposed tokens.
+
+To encourage reports and ensure that exposed tokens can be quickly and easily revoked, we do not require authentication for the revocation requests submitted through the API. As a result, {% data variables.product.github %} is unable to provide further information about the source of the reported token.
+
+{% endif %}
+
 ## Token revoked by the {% data variables.product.prodname_oauth_app %}
 
 The owner of an {% data variables.product.prodname_oauth_app %} can revoke an account's authorization of their app, this will also revoke any tokens associated with the authorization. For more information about revoking authorizations of your {% data variables.product.prodname_oauth_app %}, see [AUTOTITLE](/rest/apps/oauth-applications#delete-an-app-authorization).
diff --git a/content/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization.md b/content/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization.md
@@ -116,6 +116,16 @@ If you're unable to coordinate directly with the repository owner to remove data
 > If one of your repositories has been taken down due to a false claim, you should fill out a DMCA
 counter notice form and alert GitHub Support. For more information, see [DMCA counter notice](https://support.github.com/contact/dmca-counter-notice).
 
+{% ifversion ghec or fpt %}
+
+### Revoke exposed tokens
+
+If a {% data variables.product.pat_generic_plural %} has been exposed in a {% data variables.product.github %} repository, {% data variables.product.github %} {% data variables.product.prodname_secret_scanning %} can be used to report and revoke the token. For more information, see [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts#reporting-a-leaked-secret).
+
+You can also revoke {% data variables.product.pat_generic_plural %} that you do not own and have been exposed outside of {% data variables.product.github %} repositories. By doing this, you are contributing to the overall security of the {% data variables.product.github %} community and can quickly limit the impact of these tokens. If you find exposed {% data variables.product.pat_generic_plural %} either on {% data variables.product.github %} or elsewhere, you can submit a revocation request using the REST API. See [AUTOTITLE](/rest/credentials/revoke#revoke-a-list-of-credentials).
+
+{% endif %}
+
 ## Next steps
 
 * [AUTOTITLE](/code-security/supply-chain-security/end-to-end-supply-chain/securing-code)
diff --git a/content/rest/authentication/keeping-your-api-credentials-secure.md b/content/rest/authentication/keeping-your-api-credentials-secure.md
@@ -53,6 +53,12 @@ If you're creating a {% data variables.product.prodname_actions %} workflow that
 
 Never hardcode authentication credentials like tokens, keys, or app-related secrets into your code. Instead, consider using a secret manager such as [Azure Key Vault](https://azure.microsoft.com/products/key-vault) or [HashiCorp Vault](https://www.hashicorp.com/products/vault). For more information about securing {% data variables.product.prodname_github_app %} credentials, see [AUTOTITLE](/apps/creating-github-apps/setting-up-a-github-app/best-practices-for-creating-a-github-app).
 
+{% ifversion fpt or ghec %}
+
+If you find another user's {% data variables.product.pat_generic %} exposed on {% data variables.product.github %} or elsewhere, you can submit a revocation request through the REST API. See [AUTOTITLE](/rest/credentials/revoke#revoke-a-list-of-credentials).
+
+{% endif %}
+
 When using a {% data variables.product.pat_generic %} in a script, consider storing your token as a {% data variables.product.prodname_actions %} secret and running your script through {% data variables.product.prodname_actions %}.{% ifversion fpt or ghec %} You can also store your token as a Codespaces secret and run your script in Codespaces.{% endif %} For more information, see [AUTOTITLE](/actions/security-guides/encrypted-secrets){% ifversion fpt or ghec %} and [AUTOTITLE](/codespaces/managing-your-codespaces/managing-encrypted-secrets-for-your-codespaces){% endif %}.
 
 If none of these options are possible, you can store authentication credentials in a `.env` file. Make sure to encrypt your `.env` file, and never push it to any repository.
