GitHub's Fine-Grained PATs Hide Your Private Repos

Fine-grained GitHub PATs work perfectly for git clone and git push. But if you use the REST API to find your repos, you’ll hit a surprise.

GET /user/repos returns paginated results. With a fine-grained PAT, the first pages are filled with 100+ public repos. Your private repos — the ones the token was scoped for — are buried deep in the pagination.

If your bot or automation lists repos to find the right one, it’ll time out or return the wrong result.

The fix: don’t list. Go direct.

# Bad — buries private repos in pagination
curl -H "Authorization: token $PAT" \
  https://api.github.com/user/repos

# Good — direct access, instant
curl -H "Authorization: token $PAT" \
  https://api.github.com/repos/owner/repo-name

Use /repos/:owner/:repo instead of /user/repos. Always. If you already know the repo name — and you almost always do — there’s no reason to list.