npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@octokit/auth-basic

v1.4.8

Published

GitHub API Basic authentication for browsers and Node.js

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

octokitbotoctokitbot

Keywords

githuboctokitauthenticationbasicapi

Readme

⚠️ Deprecation warning

Authentication using a username and password has been deprecated by GitHub on February 14, 2020.

It will be removed entirely on November 13, 2020. Brownouts are scheduled for September 30, 2020 and October 28, 2020.

See the official deprecation announcement for more details.

auth-basic.js

GitHub API Basic authentication for browsers and Node.js

@latest Build Status

@octokit/auth-basic is implementing one of GitHub’s authentication strategies: authenticating using username and password.

Usage

Load @octokit/auth-basic directly from cdn.skypack.dev

<script type="module">
  import { createBasicAuth } from "https://cdn.skypack.dev/@octokit/auth-basic";
</script>

Install with npm install @octokit/auth-basic

const { createBasicAuth } = require("@octokit/auth-basic");
// or: import { createBasicAuth } from "@octokit/auth-basic";

Get token or basic authentication using the auth() method.

const auth = createBasicAuth({
  username: "octocat",
  password: "secret",
  async on2Fa() {
    // prompt user for the one-time password retrieved via SMS or authenticator app
    return prompt("Two-factor authentication Code:");
  },
});

const tokenAuthentication = await auth({
  type: "token",
});

const basicAuthentication = await auth({
  type: "basic",
});

Authenticate request using auth.hook()

const { hook } = createBasicAuth({
  username: "octocat",
  password: "secret",
  async on2Fa() {
    // prompt user for the one-time password retrieved via SMS or authenticator app
    return prompt("Two-factor authentication Code:");
  },
});
const requestWithAuth = request.defaults({ request: { hook } });

const authorizations = await requestWithAuth("GET /authorizations");

All strategy options

const auth = createBasicAuth({
  username: "octocat",
  password: "secret",
  async on2Fa() {
    return prompt("Two-factor authentication Code:");
  },
  token: {
    note: "octokit 2019-04-03 abc4567",
    scopes: [],
    noteUrl: "https://github.com/octokit/auth.js#basic-auth",
    fingerprint: "abc4567",
    clientId: "1234567890abcdef1234",
    clientSecret: "1234567890abcdef1234567890abcdef12345678",
  },
  request: request.defaults({
    baseUrl: "https://ghe.my-company.com/api/v3",
  }),
});

createBasicAuth() options

const { request } = require("@octokit/request");
createAppAuth({
  clientId: 123,
  clientSecret: "secret",
  request: request.defaults({
    baseUrl: "https://ghe.my-company.com/api/v3",
  }),
});

auth() options

auth() result

There are three possible results that the async auth() method can resolve to

  1. A personal access token authentication
    auth({type: 'token'}) and basic.token.clientId / basic.token.clientSecret not passed as strategy options.
  2. An OAuth access token authentication
    auth({type: 'token'}) and basic.token.clientId / basic.token.clientSecret passed as strategy options.
  3. Basic authentication
    auth({type: 'basic'})

Personal access token authentication

OAuth access token authentication

Basic authentication result

auth.hook(request, route, options) or auth.hook(request, options)

auth.hook() hooks directly into the request life cycle. It authenticates the request using either basic authentication or a token based on the request URL and handles two-factor authentication with request retries.

The request option is an instance of @octokit/request. The route/options parameters are the same as for the request() method.

auth.hook() can be called directly to send an authenticated request

const { data: authorizations } = await auth.hook(
  request,
  "GET /authorizations"
);

Or it can be passed as option to request().

const requestWithAuth = request.defaults({
  request: {
    hook: auth.hook,
  },
});

const { data: authorizations } = await requestWithAuth("GET /authorizations");

The on2Fa() method passed as strategy option is (re-)called as needed.request() method

Implementation details

GitHub recommends to use basic authentication only for managing personal access tokens. By default, the auth.hook() method implements this best practice and retrieves a personal access token to authenticate requests. All personal access tokens must have a unique note / fingerprint. The auth() method is setting a defaults that are always different to avoid conflicts. But if you set a custom token.note option, fingerprint is not set to a random string by default in order to avoid multiple tokens with the same note.

Some endpoint however do require basic authentication, such as List your authorizations or Delete an authorization. The auth.hook() method is setting the correct authorization automatically based on the request URL.

There is a special case if the user enabled two-factor authentication with SMS as method, because an SMS with the time-based one-time password (TOTP) will only be sent if a request is made to one of these endpoints

To guarantee the TOTP delivery via SMS, auth.hook() is sending an additional request which has no other effect.

License

MIT