Skip to content
Latchkey

How to Choose Between Fine-Grained PAT, Classic PAT, and GitHub App

Fine-grained PATs scope to specific repos and permissions; classic PATs are broad; App tokens are org-owned and short-lived.

For CI that touches other repos, prefer a GitHub App installation token. A fine-grained PAT is a reasonable second choice. A classic PAT should be a last resort because its scopes are coarse and it ties access to one person.

Comparison

Classic PATFine-grained PATApp token
Scope granularityCoarse (repo, workflow)Per-repo, per-permissionPer-install, per-permission
OwnerA personA personThe App / org
Max expiryOptional, up to no expiryEnforced, e.g. 1 year~1 hour (installation)
Best forLegacy scriptsSingle-user narrow tasksOrg CI, cross-repo work

Rule of thumb

  • Automation shared by a team should not depend on a personal token.
  • If you must use a PAT, choose fine-grained and set the shortest workable expiry.
  • Prefer short-lived scoped App tokens over long-lived PATs for anything cross-repo.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →