How do I find the owner of a GitHub token?

tl;dr To identify the owner of a GitHub Personal Access Token (PAT), use one of two methods:

1. TruffleHog – Run trufflehog analyze github with the token for automated lookup.

2. GitHub API – Query the /user endpoint with the token.

A leaked GitHub Personal Access Token (PAT) can grant unauthorized access to repositories, secrets, and CI/CD workflows. If you discover a PAT, your first priority is to identify the associated account.

Identifying the Owner Using TruffleHog

Manually querying API endpoints for every leaked PAT is inefficient. TruffleHog automates this process.

Run the following command:

trufflehog analyze github

You will be prompted to enter a GitHub token.

TruffleHog will authenticate using the provided token and extract the associated username.

What’s Happening Behind the Scenes?

• TruffleHog authenticates to GitHub using the token.

• It queries the /user endpoint.

• It extracts and outputs the GitHub username linked to the token.

🔍 Check out the TruffleHog implementation for more details.

Querying GitHub Manually (Alternative Method)

If you prefer a manual approach, use this cURL command:

curl -L \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>" \
  -H "X-GitHub-Api-Version: 2022-11-28"  \
https://api.github.com/user

This will return a JSON response containing the username, account ID, and email (if available):

{ "login" : "username", "id": 123456, "email": "[email protected]" }

Mitigating the Risk of Leaked PATs

Leaked GitHub PATs pose a serious security risk, often granting access to private repositories, CI/CD pipelines, and organization secrets. If a PAT is exposed:

• Immediately revoke the compromised token.

• Audit repositories and logs for unauthorized access.

• Enable fine-grained access controls to limit token permissions.

TruffleHog makes finding and investigating leaked GitHub PATs faster and more efficient.
🔍 Check out the TruffleHog GitHub repository for more details.