GitHub personal access token leaked? Revoke before it gets used

1. Step 01

   Go to GitHub → Settings → Developer settings → Personal access tokens → find the leaked token and Delete.

2. Step 02

   Create a fine-grained replacement scoped to the minimum repos and permissions you actually need.

3. Step 03

   Review your security log: github.com/settings/security-log — filter for actions from unfamiliar IPs in the leak window.

Step 01 — Revoke

Kill the leaked credential first

Settings → Developer settings → Personal access tokens → Tokens (classic) or Fine-grained tokens. Click the leaked token → Delete. Confirm. Then "Generate new token (fine-grained)" with a minimum-permission set.

Step 02 — Rotate

Update the new key in the right place

Server-side env vars only — never in client code, never with NEXT_PUBLIC_.

# .env (server side, never committed)
GITHUB_TOKEN=github_pat_...

# Update GitHub Actions / Vercel / Railway env vars too

Step 03 — Scan

Confirm nothing else leaked alongside it

Scan to confirm the token is no longer in your deployed bundle and nothing else is leaking with it.

How this usually leaks

• 01Committed in a .npmrc or ~/.netrc file accidentally added to git.
• 02Pasted into a GitHub Actions workflow file as a literal instead of ${{ secrets.GITHUB_TOKEN }}.
• 03Embedded in a config file deployed to /public/ for client-side gh-pages style "auth".
• 04Stored in a Postman collection committed to source control.