whats the lifetime of Github OAuth API access token

2014: As commented in this "GitHub OAuth Busy Developer's Guide"

Tokens don't have to expire.
They only send back the access token and an expiration (field "expires_in", seen as far back as 2013) if the offline_access scope is not requested (as it is the case for a refresh token).
Right now, GitHub just assumes all apps want offline access.

You can check an OAuth application authorization, delete it or revoke it.
But the token itself doesn't seem to be bound to an expiry date unless they are not use for one year.

badsyntax adds in the comments:

I also found this useful:

"An OAuth token does not expire until the person who authorized the OAuth App revokes the token."
From "Migrating OAuth Apps to GitHub Apps".

Stokito points out in the comments to rfc6749 / 4.2.2 Access Token Response:

expires_in

RECOMMENDED.
The lifetime in seconds of the access token.
For example, the value "3600" denotes that the access token will expire in one hour from the time the response was generated.
If omitted, the authorization server SHOULD provide the expiration time via other means or document the default value.


Update 2021:

  • July 2021: "Expiration options for personal access tokens"

You can now set an expiration date on your new and existing personal access tokens.

Setting an expiration date on personal access tokens is highly recommended as this helps keep your information secure.
GitHub will email you when it's time to renew a token that's about to expire. Tokens that have expired can be regenerated, giving you a duplicate token with the same properties as the original.

When using a personal access token with the GitHub API, you'll see a new response header, GitHub-Authentication-Token-Expiration, indicating the token's expiration date.
You can use this in scripts, for example, to log a warning message as the expiration date approaches.

Learn more about personal access tokens and how to use them.

  • Nov. 2021: "Expiration dates of SAML-authorized PATs available via API"

GitHub recently introduced the ability to set an expiration date when creating or regenerating a personal access token (PAT).
For a PAT that is authorized to access an organization protected by SAML single sign-on (SSO), the expiration date of that PAT is now available via the GET /orgs/{org}/credential-authorizations API.

Organization administrators can use the following gh command to see the expiration dates of all PATs that are authorized to access their org by authenticating with a PAT that has the read:org scope:

gh api --paginate /orgs/:org/credential-authorizations --jq='.[] | [.authorized_credential_expires_at]'

Learn more about authorizing a personal access token for use with SAML single sign-on.


Generally, the access_token of GitHub has no expiry until you revoke the OAuth token.

You can consider to opt in to GitHub App expiration token beta feature. This would make your app use expiring user tokens valid for 8hrs, and refresh tokens valid for 6 months

Here's an official step by step guide