Use personal access tokens

Article
2025-05-14

Azure DevOps Services | Azure DevOps Server 2022 - Azure DevOps Server 2019

A Personal Access Token (PAT) serves as an alternative password for authenticating into Azure DevOps. This PAT identifies you and determines your accessibility and scope of access. Treat PATs with the same level of caution as passwords.

When you use Microsoft tools, your Microsoft account (MSA) or Microsoft Entra ID is recognized and supported. If you use tools that don't support Microsoft Entra accounts or don't want to share your primary credentials, PATs can be a suitable alternative. However, we recommend using Microsoft Entra tokens over PATs whenever possible.

Important

We recommend the more secure Microsoft Entra tokens over higher-risk personal access tokens. Learn more about our efforts to reduce PAT usage. Review our authentication guidance to choose the right authentication mechanism for your needs.

Prerequisites

Category	Requirements
Permissions	Permission to access and modify your user settings where PATs are managed. - Go to your profile and select User settings > Personal access tokens. If you can see and manage your PATs here, you have the necessary permissions. - Go to your project and select Project settings > Permissions. Find your user account in the list and check the permissions assigned to you. Look for permissions related to managing tokens or user settings. - If your organization has policies in place, an administrator might need to grant you specific permissions or add you to an allowlist to create and manage PATs. - PATs are connected to the user account that minted the token. Depending on the tasks the PAT performs, you might need more permissions yourself.
Access levels	At least Basic access.
Tasks	Use PATs only when necessary and always regularly rotate them. See our section on Best Practices when using PATs.

Create a PAT

Sign in to your organization (https://dev.azure.com/{Your_Organization}).
From your home page, open user settings and select Personal access tokens.
Select + New Token.
Name your token, select the organization where you want to use the token, and then set your token to automatically expire after a set number of days.
Select the scopes for this token to authorize for your specific tasks.

For example, to create a token for a build and release agent to authenticate to Azure DevOps, set the token's scope to Agent Pools (Read & manage). To read audit log events and manage or delete streams, select Read Audit Log, and then select Create.

Note

Your admin(s) may restrict you from creating full-scoped PATs or limit you to packaging-scope PATs only. Reach out to your admin to get on the allowlist if you need access to additional scopes. Some scopes, e.g. vso.governance, may not be available in the UI if they aren't for widespread public use.
When you're done, copy the token and store it in a secure ___location. For your security, it doesn't display again.

Use your PAT anywhere your user credentials are required for authentication in Azure DevOps.

Important

Treat a PAT with the same caution as your password and keep it confidential. DO NOT SHARE PATS.
For organizations backed by Microsoft Entra ID, you must sign in with your new PAT within 90 days or it will become inactive. For more information, see User sign-in frequency for Conditional Access.

Notifications

During the lifespan of a PAT, users receive two notifications: at time of creation and three days before expiration.

After you create a PAT, you may receive a notification similar to below. This notification serves as confirmation that your PAT was successfully added to your organization.

Screenshot showing PAT created notification.

An expiration notification email will be sent three days prior to expiration. If your admin has removed your ability to create PATs in the organization, the email will indicate that it is no longer possible for you to regenerate PATs. Reach out to your Project Collection Administrator to be included in an allowlist for continued PAT creation permissions in that organization.

For more information, see Configure an SMTP server and customize email for alerts and feedback requests.

Unexpected notification

If you receive an unexpected PAT notification, it might mean that an administrator or tool created a PAT for you. Here are some examples:

A token named "git: https://dev.azure.com/{Your_Organization} on YourMachine" gets created when you connect to an Azure DevOps Git repo via git.exe.
A token named "Service Hooks: Azure App Service: Deploy web app" gets created when you or an administrator sets up an Azure App Service web app deployment.
A token named "WebAppLoadTestCDIntToken" gets created when web load testing gets set up as part of a pipeline by you or an administrator.
A token named "Microsoft Teams Integration" gets created when a Microsoft Teams Integration Messaging Extension gets set up.

Warning

Revoke the PAT (and change your password) if you suspect it exists in error.
Check with your administrator if you're a Microsoft Entra user to see if an unknown source or ___location accessed your organization.
Review the FAQ on accidental PAT check-ins to public GitHub repositories.

Use a PAT

Your PAT serves as your digital identity, much like a password. You can use PATs as a quick way to do one-off requests or prototype an application locally. Use a PAT in your code to authenticate REST APIs requests and automate workflows by including the PAT in the authorization header of your request.

Important

Once your app code is working, switch to Microsoft Entra OAuth to acquire tokens on-behalf-of your app's users or a service principal or managed identity to acquire tokens as an application. It is not recommended to keep running apps or scripts with PATs long-term. Microsoft Entra tokens can be used anywhere a PAT is used. Consider acquiring a Microsoft Entra token via the Azure CLI for ad-hoc requests.

Windows
Linux/macOS

To provide the PAT through an HTTP header, you must first convert it to a Base64 string. It can then be provided as an HTTP header in the following format.


Authorization: Basic BASE64_USERNAME_PAT_STRING

The following sample gets a list of builds using curl.


curl -u :{PAT} https://dev.azure.com/{organization}/_apis/build-release/builds

Modify a PAT

Do the following steps to:

Regenerate a PAT to create a new token, which invalidates the previous one.
Extend a PAT to increase its validity period.
Alter the scope of a PAT to change its permissions.

From your home page, open user settings and select Personal access tokens.
Select the token you want to modify, and then Edit.
Edit the token name, token expiration, or the scope of access associated with the token, and then select Save.

Revoke a PAT

You can revoke a PAT at any time for these and other reasons:

Revoke a PAT if you suspect it's compromised.
Revoke a PAT when it's no longer needed.
Revoke a PAT to enforce security policies or compliance requirements.

From your home page, open user settings and select Personal access tokens.
Under Security, select Personal access tokens. Select the token for which you want to revoke access, and then select Revoke.
Select Revoke in the confirmation dialog.

PAT Lifecycle Management APIs

The PAT Lifecycle Management APIs may be useful when maintaining large volumes of tokens through UI is unsustainable. Managing PAT rotation programmatically also opens the opportunity to rotate PATs regularly and shorten their default lifespans. Our sample Python app can be configured with your Microsoft Entra tenant and Azure DevOps organization.

Some things to note about these APIs:

Microsoft Entra access tokens are required to access this API as generally a stronger form of authentication is recommended when minting new tokens.
Only users or apps using an "on-behalf-of user" flow can generate PATs. Apps using "on-behalf-of application" flows or authentication flows that don't issue Microsoft Entra access tokens aren't valid for use with this API. As such, service principals or managed identities can't create or manage PATs.
Previously the PAT Lifecycle Management APIs only supported the user_impersonation scope, but now the vso.tokens are available and the recommended scope to use with these APIS. Downscope all apps that previously relied on user_impersonation to call these APIs.

Changes to format

As of July 2024, we updated the format of PAT strings to improve secret detection in our leaked PAT detection tooling and partner offerings. This new PAT format includes more identifiable bits to improve the false positive detection rate in these detection tools and mitigate detected leaks faster.

New tokens are now 84 characters long, with 52 characters being randomized data. This improves overall entropy, making tokens more resistant to brute force attacks.
Tokens issued by our service include a fixed AZDO signature at positions 76-80.

If you are using a PAT issued prior to that data, regenerate your PAT. If you integrate with PATs and have PAT validation built-in, update your validate code to accommodate both new and existing token lengths.

Warning

Both formats will remain valid for the foreseeable future. As adoption of the new format increases, we may retire older 52-character PATs.

Best practices for using PATs

Consider alternatives

Acquire a Microsoft Entra token via the Azure CLI for ad-hoc requests instead of minting a longer-lived PAT.
Use credential managers like Git Credential Manager or Azure Artifacts Credential Manager to simplify credential management, with authentication set to oauth or Microsoft Entra tokens.

Creating PATs

Don't put personal data in the PAT name. Don't rename the PAT name to include some or all of the actual PAT token.
Avoid creating global PATs unless necessary across all organizations.
Use a different token per flow or user case.
Choose the minimally needed scopes per PAT. Create a separate PAT with fewer scopes for each flow, instead of a single full-scoped PAT for all flows. If your PAT needs read-only permissions, don't provide write permissions until necessary.
Keep PAT lifespans short (weekly is ideal, even shorter is better).

Managing PATs

Don't share your PATs!
Store your PATs in a secure key management solution, like Azure KeyVault.
Regularly rotate or regenerate your PATs via UI or PAT Lifecycle Management APIs.
Revoke PATs when no longer needed.
Rotate your PATs to use the new PAT format for better leaked secret detection and revocation by our first-party tools.

For admins

Tenant admins can set policies to restrict global PAT creation, full scoped PAT creation, and long-lived PAT duration.
Tenant admins can revoke PATs for their organization users if the PAT is compromised.
Organization admins can restrict PAT creation in an organization. If PATs are still needed, limit their creation to only those on the allowlist.

FAQs

Q: Why can't I edit or regenerate a PAT scoped to a single organization?

A: Sign into the organization where your PAT is scoped. You can view all your PATs while signed into any organization in the same Microsoft Entra ID by changing the Access scope filter, but you can only edit organization-scoped tokens when signed into the specific organization.

Q: What happens to a PAT if a user account is disabled?

A: When a user is removed from Azure DevOps, the PAT invalidates within 1 hour. If your organization is connected to Microsoft Entra ID, the PAT also invalidates in Microsoft Entra ID, as it belongs to the user. We recommend rotating the PAT to another user or service account to keep services running.

Q: Can I use PATs with all Azure DevOps REST APIs?

A: No. You can use PATs with most Azure DevOps REST APIs, but organizations and profiles and the PAT Management Lifecycle APIs only support Microsoft Entra tokens.

Q: What happens if I accidentally check my PAT into a public repository on GitHub?

A: Azure DevOps scans for PATs checked into public repositories on GitHub. When we find a leaked token, we immediately send a detailed email notification to the token owner and log an event in your Azure DevOps organization's audit log. We encourage affected users to mitigate the issue by revoking the leaked token and replacing it with a new token.

Unless you disabled the Automatically revoke leaked personal access tokens policy, we immediately revoke the leaked PAT. For more information, see Revoke leaked PATs automatically.

Q: Can I use a personal access token as an ApiKey to publish NuGet packages to an Azure Artifacts feed using the dotnet/nuget.exe command line?

A: No. Azure Artifacts doesn't support passing a PAT as an ApiKey. When using a local development environment, we recommend installing the Azure Artifacts Credential Provider to authenticate with Azure Artifacts. For more information, see the following examples: dotnet, NuGet.exe. If you want to publish your packages using Azure Pipelines, use the NuGet Authenticate task to authenticate with your feed. See example.

Q: Why did my PAT stop working?

A: PAT authentication requires you to regularly sign into Azure DevOps using the full authentication flow. Signing in once every 30 days is sufficient for many users, but you might need to sign in more frequently depending on your Microsoft Entra configuration. If your PAT stops working, first try signing into your organization and complete the full authentication prompt. If your PAT still doesn't work, check if it expired.

Enabling IIS Basic Authentication invalidates using PATs for Azure DevOps Server. We recommend that you keep IIS Basic Authentication turned off always.

Warning

If you use Git with IIS Basic Authentication, Git breaks because it requires PATs for user authentication. You can adding an extra header to Git requests to use it with IIS Basic Authentication, but this is not recommended. The extra header must be used for all Azure DevOps Server installations, as Windows Auth also prevents using PATs. The extra header must also include a base 64 encoding of "user:PAT."

git -c http.extraheader='Authorization: Basic [base 64 encoding of "user:password"]' ls-remote http://tfsserver:8080/tfs/DefaultCollection/_git/projectName

Q: How do I create access tokens that aren't tied to a person?

A: All PATs are associated with the user identity that created it. Applications can't create PATs.

In Azure DevOps, you can create access tokens that aren't tied to a specific person by using Microsoft Entra tokens minted by an application service principal or managed identity. Within a pipeline, use service connections.

Q: How can I regenerate/rotate PATs through the API? I saw that option in the UI, but I don’t see a similar method in the API.

The 'Regenerate' functionality available in the UI actually accomplishes a few actions, which can be replicated through API.

To rotate your PAT, do the following steps:

See PAT metadata with a GET call,
Create a new PAT with the old PAT id using a POST call,
Revoke the old PAT using a DELETE call.

Q: I see a "Need admin approval" pop-up when I try to use an Entra app to call the PAT Lifecycle Management APIs.

Your tenant's security policies require admin consent before applications can access organization resources in the organization. Reach out to your tenant admin(s).

Q: Can I use a service principal to create or manage PATs?

No, personal access tokens belong to a user identity. Entra service principals or managed identities are able to generate short-lived Entra tokens that can be used in most places where a PAT is accepted. Learn more about our efforts to reduce PAT usage across Azure DevOps and explore replacing PATs with Entra tokens.

Share via

Use personal access tokens

Prerequisites

Create a PAT

Notifications

Unexpected notification

Use a PAT

Feedback

Additional resources