You can configure two-factor authentication (2FA) using a TOTP app on mobile or desktop or via text message. After you have configured 2FA using a TOTP app or via text message, you can then also add security keys as alternate 2FA methods.

Your app should authenticate as an app installation when you want to attribute app activity to the app. Authenticating as an app installation lets your app access resources that are owned by the user or organization that installed the app. Authenticating as an app installation is ideal for automation workflows that don't involve user input.

You can use an installation access token from a GitHub App to make authenticated API requests in a GitHub Actions workflow. You can also pass the token to a custom action to enable the action to make authenticated API requests.

You can authenticate as a GitHub App in order to generate an installation access token or manage your app.

You can make your GitHub App authenticate as an installation in order to make API requests that affect resources owned by the account where the app is installed.

You can securely access your account's resources by authenticating to GitHub, using different credentials depending on where you authenticate.

With two-factor authentication (2FA) enabled, you'll need to use a second factor when accessing GitHub through your browser. When you first configure 2FA, your account will enter a check up period for 28 days to ensure your account's 2FA methods are setup correctly.

Learn how to create a JSON Web Token (JWT) to authenticate to certain REST API endpoints with your GitHub App.

When a user authorizes an app, they grant the app permission to act on their behalf, and they grant the account permissions that the app requested. Once a user has authorized your app, you can generate a user access token, which is a type of OAuth token.

Two-factor authentication (2FA) is an extra layer of security used when logging into websites or apps. With 2FA, you have to log in with your username and password and provide another form of authentication that only you know or have access to.