Notice about upcoming new format for GitHub App installation tokens
Source: GitHub Actions Blog
Starting April 27 2026 and over the coming weeks, we will begin a staged rollout that updates the format of newly minted GitHub App installation tokens, making them more performant and improving the reliability of our API surface. If your application expects or relies on installation tokens being exactly 40 characters long, it may not handle this new token format correctly.
What is changing?
We’re now supporting a new, stateless token format for GitHub App installation tokens that improves token issuance performance under increased load and helps us deliver higher reliability at scale.
Newly issued GitHub App installation tokens will use an updated format with the changes below:
- The overall length of the tokens will be longer (~520 characters) and will vary based on the data stored within it.
- The token format for installation tokens (
ghs_tokens) will be changing toghs_APPID_JWT.
Note: The prefixes for any of the GitHub token types are not changing and installation tokens will still be prefixed with
ghs_.
The JWT is signed using a GitHub‑internal issuer and cannot nor should be validated by a client app. It contains details about the token such as the target installation, the application, and basic validation details. As with all access tokens, client apps must not take a dependency on the contents of this JWT.
Scope
- Existing App installation tokens continue to work until they expire.
- This change applies to GitHub Enterprise Cloud and Data Residency environments. GitHub Enterprise Server isn’t impacted.
- Upcoming rollouts will apply the new token format only to GitHub App installation server‑to‑server tokens, including Actions
GITHUB_TOKEN. - Not in scope yet, but we’ll share more details in the coming weeks on planned format changes for user‑to‑server tokens used in Copilot code review flows.
What to expect over the next few weeks
In the coming weeks, we will be doing a staged rollout for the format changes to GitHub App installation tokens:
April 27 – mid‑May 2026
We’ll begin a staged rollout of the updated format to GitHub Actions‑issued GITHUB_TOKEN and the GitHub App installation tokens issued to all the other first‑party featured integrations (e.g., Dependabot, Slack, and Teams). This should not impact your existing Actions workflows. Reach out to GitHub Support if you see this change affecting your Actions workflows and want to temporarily opt‑out of the change.
Mid‑May to late‑June 2026
We’ll begin a staged rollout of the updated format to all the GitHub App installation tokens. We will provide more guidance on how to test these new tokens locally to validate that your GitHub Apps continue to work as expected before we roll out the change more broadly. We’ll introduce a brownout period to identify integrations that still depend on token format assumptions, followed by broad enablement of the updated format.
How to prepare for this change
Treat tokens as opaque strings and avoid validating them against hard‑coded patterns.
To help prepare, ensure that:
- Your apps do not depend on access tokens being a certain length.
- There are no regexes in your codebase such as
ghs_[A-Za-z0-9]{36}that validate a token. These may not match the new tokens. - Any database columns for access tokens can fit at least a 520‑character string.
Join the discussion within the GitHub Community.