Authenticate access with personal access tokens

Azure DevOps Services | Azure DevOps Server 2019 | TFS 2018 | TFS 2017

Personal access tokens (PATs) are alternate passwords that you can use to authenticate in to Azure DevOps. In this article, we walk you through how to create or revoke PATS.

Azure DevOps use enterprise-grade authentication to help protect and secure your data. Clients like Visual Studio and Eclipse (with the Team Explorer Everywhere plug-in) also support Microsoft account and Azure AD authentication.

For non-Microsoft tools that integrate into Azure DevOps but don't support Microsoft account or Azure AD authentication, you must use PATs. Examples include Git, NuGet, or Xcode. To set up PATs for non-Microsoft tools, use Git credential managers or create them manually.

Create personal access tokens to authenticate access

  1. Sign in to either your organization in Azure DevOps (https://dev.azure.com/{yourorganization}) or your Team Foundation Server web portal (https://{server}:8080/tfs/).

  2. From your home page, open your profile. Go to your security details.

    Azure DevOps Services

    Go to organization home, open your profile, go to Security

    TFS 2017

    TFS home page, open your profile, go to Security

  3. Create a personal access token.

    Add a personal access token

  4. Name your token. Select a lifespan for your token.

    If you're using Azure DevOps Services, and you have more than one organization, you can also select the organization where you want to use the token.

    Name your token, select a lifespan. If using VSTS, select an account for your token

  5. Select the scopes that this token will authorize for your specific tasks.

    For example, to create a token to enable a build and release agent to authenticate to Azure DevOps Services or TFS, limit your token's scope to Agent Pools (read, manage).

  6. When you're done, make sure to copy the token. You'll use this token as your password.

    Use a token as the password for your Git tools or apps

    Note

    Remember that this token is your identity and acts as you when it's used. Keep your tokens secret and treat them like your password.

    To keep your token more secure, use credential managers so that you don't have to enter your credentials every time. Here are some recommended credential managers:

Revoke personal access tokens to remove access

When you don't need your token anymore, just revoke it to remove access.

  1. From your home page, open your profile. Go to your security details.

    Azure DevOps Services

    Go to the organization home page, open your profile, go to Security

    TFS 2017

    Go to the TFS home page, open your profile, go to Security

  2. Revoke access.

    Revoke a token or all tokens

See the following examples of using your PAT.

Username: anything Password: your PAT here

or

git clone https://anything:<PAT>@dev.azure.com/yourOrgName/yourProjectName/_git/yourRepoName

To learn more about how security and identity are managed, see About security and identity.

To learn more about permissions and access levels for common user tasks, see Default permissions and access for Azure DevOps.

For administrators to revoke organization user PATs, see Revoke other users' personal access tokens.

Frequently asked questions

What is my Azure DevOps Services URL?

https://dev.azure.com/{yourorganization}

Where can I learn more about how to use PATs?

For examples of how to use PATs, see Git credential managers, REST APIs, NuGet on a Mac, and Reporting clients.

What notifications will I get about my PAT?

Users receive two notifications during the lifetime of a PAT, one at creation and the other seven days before the expiration.

The following notification is sent at PAT creation:

PAT creation notification

The following notification is sent - a PAT is near expiration:

PAT near expiration notification

What do I do if I get an unexpected PAT notification?

An administrator or a tool might have created a PAT on your behalf. See the following examples:

  • When you connect to an Azure DevOps Services Git repo through git.exe. it creates a token with a display name like "git: https://MyOrganization.visualstudio.com/ on MyMachine."
  • When you or an admin sets up an Azure App Service web app deployment, it creates a token with a display name like "Service Hooks :: Azure App Service :: Deploy web app."
  • When you or an admin sets up web load testing as part of a pipeline, it creates a token with a display name like "WebAppLoadTestCDIntToken".
  • When a Microsoft Teams Integration Messaging Extension is set up, it creates a token with a display name like "Microsoft Teams Integration".

If you still believe that a PAT exists in error, we suggest that you revoke the PAT. Next, change your password. As an Azure Active Directory user, check with your administrator to see if your organization was used from an unknown source or location.