| ms.topic |
|---|
include |
-
Sign in to your organization (
https://dev.azure.com/{Your_Organization}). -
From your home page, open user settings :::image type="icon" source="../../../media/icons/user-settings-gear.png" border="false"::: and select Personal access tokens.
:::image type="content" source="../media/select-personal-access-tokens.png" alt-text="Screenshot showing selection, Personal Access Tokens.":::
-
Select + New Token.
:::image type="content" source="../media/select-new-token.png" alt-text="Screenshot showing selection, New Token.":::
-
Name your token, select the organization where you want to use the token, and then set your token to automatically expire after a set number of days.
:::image type="content" source="../media/create-new-pat.png" alt-text="Screenshot showing entry of basic token information.":::
-
Select the scopes for this token to authorize for your specific tasks.
For example, to create a token to enable a build and release agent to authenticate to Azure DevOps, limit your token's scope to Agent Pools (Read & manage). To read audit log events, and manage and delete streams, select Read Audit Log, and then select Create.
:::image type="content" source="../media/select-pat-scopes-preview.png" alt-text="Screenshot showing selected scopes for a PAT.":::
[!NOTE] You might be restricted from creating full-scoped PATs. If so, your Azure DevOps Administrator in Microsoft Entra ID enabled a policy which limits you to a specific custom defined set of scopes. For more information, see Manage PATs with policies/Restrict creation of full-scoped PATs. For a custom defined PAT, the required scope for accessing the Component Governance API,
vso.governance, isn't selectable in the UI. -
When you're done, copy the token and store it in a secure location. For your security, it doesn't display again.
:::image type="content" source="../media/copy-token-to-clipboard.png" alt-text="Screenshot showing how to copy the token to your clipboard.":::
Use your PAT anywhere your user credentials are required for authentication in Azure DevOps.
Important
- Handle a PAT with the same caution as your password and keep it a secret.
- For organizations backed by Microsoft Entra ID, it's necessary to sign in with your new PAT within 90 days; failure to do so renders the PAT inactive. For more information, see User sign-in frequency for Conditional Access.
During the lifespan of a PAT, users receive two notifications - the first one at the time of creation and the second one seven days prior to its expiration.
After you create a PAT, you receive a notification similar to the following example. This notification serves as confirmation that your PAT was successfully added to your organization.
:::image type="content" source="/azure/devops/organizations/accounts/media/use-personal-access-tokens-to-authenticate/pat-creation.png" alt-text="Screenshot showing PAT created notification.":::
The following image shows an example of the seven-day notification before your PAT expires.
:::image type="content" source="/azure/devops/organizations/accounts/media/use-personal-access-tokens-to-authenticate/pat-expiration.png" alt-text="Screenshot showing PAT near expiration notification.":::
::: moniker range=" < azure-devops"
For more information, see Configure an SMTP server and customize email for alerts and feedback requests.
::: moniker-end
If you get an unexpected PAT notification, it might mean that an administrator or tool created a PAT for you. Here are some examples.
- A token named "git:
https://dev.azure.com/{Your_Organization}on YourMachine" gets created when you connect to an Azure DevOps Git repo via git.exe. - A token named "Service Hooks: : Azure App Service: : Deploy web app" gets created when an Azure App Service web app deployment is set up by you or an administrator.
- A token named "WebAppLoadTestCDIntToken" gets created when web load testing is set up as part of a pipeline by you or an administrator.
- A token named "Microsoft Teams Integration" gets created when a Microsoft Teams Integration Messaging Extension is set up.
Warning
If you suspect that a PAT exists in error, consider revoking the PAT and changing your password. As a Microsoft Entra user, check with your administrator to see if your organization was used by an unknown source or location. Also, refer to the FAQ on accidental PAT check-ins to public GitHub repositories.
Your PAT serves as your digital identity, representing you when utilized, much like a password does.
Git
Git interactions require a username, which can be anything except the empty string.
To use a PAT with HTTP basic authentication, use Base64-encode for $MyPat, which is included in the following code block.
In PowerShell, enter the following code.
$MyPat = 'yourPat'
$headerValue = "Authorization: Basic " + [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes(":" + $MyPat))
$env:GIT_AUTH_HEADER = $headerValue
git --config-env=http.extraheader=GIT_AUTH_HEADER clone https://dev.azure.com/yourOrgName/yourProjectName/_git/yourRepoNameTo keep your token more secure, use credential managers so you don't have to enter your credentials every time. We recommend Git Credential Manager. Git for Windows is required.
In Bash, enter the following code.
MY_PAT=yourPAT # replace "yourPAT" with "PatStringFromWebUI"
HEADER_VALUE=$(printf "Authorization: Basic :%s" "$MY_PAT" | base64)
git --config-env=http.extraheader=HEADER_VALUE clone https://dev.azure.com/yourOrgName/yourProjectName/_git/yourRepoNameTo keep your token more secure, use credential managers so you don't have to enter your credentials every time. We recommend Git Credential Manager.
Existing repos
For existing repositories, if you already added the origin using the username, run the following command first.
git remote remove origin
Otherwise, run the following command.
git remote add origin https://dev.azure.com/<PAT>@<company_machineName>:/<path-to-git-repo> path to git repo = <project name>/_git/<repo_name> git push -u origin --all
You can use a PAT in your code.
To provide the PAT through an HTTP header, first convert it to a Base64 string. The following example shows how to convert to Base64 using C#.
Authorization: Basic BASE64_USERNAME_PAT_STRINGThe resulting string can then be provided as an HTTP header in the following format.
The following sample uses the HttpClient class in C#.
public static async void GetBuilds()
{
try
{
var personalaccesstoken = "PATFROMWEB";
using (HttpClient client = new HttpClient())
{
client.DefaultRequestHeaders.Accept.Add(
new System.Net.Http.Headers.MediaTypeWithQualityHeaderValue("application/json"));
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Basic",
Convert.ToBase64String(
System.Text.ASCIIEncoding.ASCII.GetBytes(
string.Format("{0}:{1}", "", personalaccesstoken))));
using (HttpResponseMessage response = client.GetAsync(
"https://dev.azure.com/{organization}/{project}/_apis/build/builds?api-version=5.0").Result)
{
response.EnsureSuccessStatusCode();
string responseBody = await response.Content.ReadAsStringAsync();
Console.WriteLine(responseBody);
}
}
}
catch (Exception ex)
{
Console.WriteLine(ex.ToString());
}
}Tip
When you're using variables, add a $ at the beginning of the string, like in the following example.
public static async void GetBuilds()
{
try
{
var personalaccesstoken = "PATFROMWEB";
using (HttpClient client = new HttpClient())
{
client.DefaultRequestHeaders.Accept.Add(
new System.Net.Http.Headers.MediaTypeWithQualityHeaderValue("application/json"));
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Basic",
Convert.ToBase64String(
System.Text.ASCIIEncoding.ASCII.GetBytes(
string.Format("{0}:{1}", "", personalaccesstoken))));
using (HttpResponseMessage response = client.GetAsync(
$"https://dev.azure.com/{organization}/{project}/_apis/build/builds?api-version=5.0").Result)
{
response.EnsureSuccessStatusCode();
string responseBody = await response.Content.ReadAsStringAsync();
Console.WriteLine(responseBody);
}
}
}
catch (Exception ex)
{
Console.WriteLine(ex.ToString());
}
}The following sample gets a list of builds using curl.
curl -u :{PAT} https://dev.azure.com/{organization}/_apis/build-release/builds
When your code is working, it's a good time to switch from basic auth to OAuth.
For more information and examples of how to use PATs, see the following articles:
- Git credential managers
- REST APIs
- NuGet on a Mac
- Reporting clients
- Get started with Azure DevOps CLI
::: moniker range="azure-devops"
You can regenerate, extend a PAT, or alter its scope. Once regenerated, the previous PAT becomes unauthorized.
-
From your home page, open your user settings, and then select Profile.
:::image type="content" source="../media/my-profile-team-services-preview.png" alt-text="Screenshot showing sequence of buttons to select to modify a PAT.":::
-
Under Security, select Personal access tokens. Select the token you want to modify, and then Edit.
:::image type="content" source="../media/select-edit-pat-current-view.png" alt-text="Screenshot showing highlighted Edit button to modify PAT.":::
-
Edit the token name, token expiration, or the scope of access associated with the token, and then select Save.
:::image type="content" source="../media/modify-pat.png" alt-text="Screenshot showing modified PAT.":::
You can revoke a PAT at any time, for many reasons.
-
From your home page, open your user settings, and then select Profile.
:::image type="content" source="../media/my-profile-team-services-preview.png" alt-text="Screenshot showing sequence of buttons to select, Team Services, Preview page, and revoke a PAT.":::
-
Under Security, select Personal access tokens. Select the token for which you want to revoke access, and then select Revoke.
:::image type="content" source="../media/revoke-personal-access-tokens-preview.png" alt-text="Screenshot showing selection to revoke a single token or all tokens.":::
-
Select Revoke in the confirmation dialog.
:::image type="content" source="../media/revoke-token-confirmation-dialog-preview.png" alt-text="Screenshot showing confirmation screen to revoke PAT.":::
For more information, see Revoke user PATs for admins.
::: moniker-end