How to Choose Between Fine-Grained PAT, Classic PAT, and GitHub App
Fine-grained PATs scope to specific repos and permissions; classic PATs are broad; App tokens are org-owned and short-lived.
For CI that touches other repos, prefer a GitHub App installation token. A fine-grained PAT is a reasonable second choice. A classic PAT should be a last resort because its scopes are coarse and it ties access to one person.
Comparison
| Classic PAT | Fine-grained PAT | App token | |
|---|---|---|---|
| Scope granularity | Coarse (repo, workflow) | Per-repo, per-permission | Per-install, per-permission |
| Owner | A person | A person | The App / org |
| Max expiry | Optional, up to no expiry | Enforced, e.g. 1 year | ~1 hour (installation) |
| Best for | Legacy scripts | Single-user narrow tasks | Org CI, cross-repo work |
Rule of thumb
- Automation shared by a team should not depend on a personal token.
- If you must use a PAT, choose fine-grained and set the shortest workable expiry.
- Prefer short-lived scoped App tokens over long-lived PATs for anything cross-repo.
Related guides
Why a GitHub App Token Beats a Personal Access Token in CICompare a GitHub App installation token with a personal access token for CI: scoped to specific repos, short-…
How to Handle GitHub API Rate Limits by Token Type in CIUnderstand GitHub API rate limits for GITHUB_TOKEN, user PATs, and GitHub App installation tokens, and pick t…