7. Use the access token without leaking it

The access token is the credential your app sends to the API. Treat it like a password: keep it out of source code, avoid printing it, and send it only in the Authorization header of API requests.

Use the bearer token header

OAuth access tokens are usually sent as bearer tokens. "Bearer" means whoever holds the token can use it, so the token needs careful handling.

HTTP header shape 
Authorization: Bearer ACCESS_TOKEN

The callback script saved the token in .env as GITHUB_ACCESS_TOKEN. That keeps the full token out of the terminal while still giving the next script a local place to read it from. This is acceptable for a gitignored learning file. It is not a production storage design.

.env 
GITHUB_ACCESS_TOKEN=github_pat_or_gho_value_saved_by_the_callback_script

Call the user endpoint

Save this as 3_github_request.py:

3_github_request.py 
import os

import requests
from dotenv import load_dotenv


def mask_token(token):
    if not token or len(token) < 12:
        return "[hidden]"
    return f"{token[:4]}...{token[-4:]}"


load_dotenv()
token = os.getenv("GITHUB_ACCESS_TOKEN")

if not token:
    raise SystemExit("Missing GITHUB_ACCESS_TOKEN in .env")

headers = {
    "Authorization": f"Bearer {token}",
    "Accept": "application/vnd.github+json",
}

print(f"Using token: {mask_token(token)}")

response = requests.get("https://api.github.com/user", headers=headers, timeout=10)

if response.status_code == 200:
    user = response.json()
    print(f"Authenticated as: {user['login']}")
    print(f"Name: {user.get('name') or 'Not set'}")
    print(f"Public repos: {user['public_repos']}")
else:
    print(f"GitHub returned HTTP {response.status_code}")
    print(response.text)

Run it:

Terminal 
python 3_github_request.py
Terminal (example output) 
Using token: gho_...3kQz
Authenticated as: octocat
Name: The Octocat
Public repos: 8

Your output will vary because it comes from the account that authorized the app. The important result is that your script proves the token works without exposing the full token: the preview matches what the callback script reported, and the rest is your profile.

Do not normalize token leaks

Avoid these habits, even in demos:

  • Do not hardcode access tokens into Python files.
  • Do not print full tokens to the terminal.
  • Do not paste tokens into screenshots, issue trackers, or chat.
  • Do not store browser-facing tokens in localStorage without a much deeper security design.

On the next page, we'll slow down and look at scope and storage decisions directly, including when repository access is worth asking for.