Azure Repos | Azure DevOps Server 2019 | TFS 2018 | TFS 2017 | TFS 2015 Update 3
Choose a method to securely access the code in Azure Repos, Azure DevOps Server 2019, or Team Foundation Server (TFS) Git repositories. Use these credentials with Git at a command prompt. These credentials also work with any Git client that supports HTTPS or SSH authentication. Limit the scope of access and revoke these credentials when they're no longer needed.
Azure DevOps will no longer support Alternate Credentials authentication beginning March 2, 2020. If you're still using Alternate Credentials, you have until then to transition to a more secure authentication method, to avoid this breaking change impacting your DevOps workflows. Learn more.
Azure DevOps Server was formerly named Visual Studio Team Foundation Server.
Using Visual Studio? Team Explorer handles authentication with Azure Repos for you.
|Authentication Type||When to use||Secure?||Ease of setup||Additional tools|
|Personal access tokens||You need an easy to configure credential or need configurable access controls||Very secure (when using HTTPS)||Easy||Optional (Git credential managers)|
|SSH||You already have SSH keys set up, or are on macOS or Linux||Very secure||Intermediate||Windows users will need the SSH tools included with Git for Windows|
|Alternate credentials||You can't use personal access tokens or SSH||Least secure||Easy||See important information about alternate credentials|
Personal access tokens
Personal access tokens (PATs) give you access to Azure DevOps and Team Foundation Server (TFS), without using your username and password directly. These tokens have an expiration date from when they're created. You can restrict the scope of the data they can access. Use PATs to authenticate if you don't already have SSH keys set up on your system or if you need to restrict the permissions that are granted by the credential.
Use Git Credential Manager to generate tokens
Git credential managers is an optional tool that makes it easy to create PATs when you're working with Azure Repos. Sign in to the web portal, generate a token, and then use the token as your password when you're connecting to Azure Repos.
PATs are generated on demand when you have the credential manager installed. The credential manager creates the token in Azure DevOps and saves it locally for use with the Git command line or other client.
Current versions of Git for Windows include the Git credential manager as an optional feature during installation.
SSH key authentication
Key authentication with SSH works through a public and private key pair that you create on your computer. You associate the public key with your username from the web. Azure DevOps will encrypt the data sent to you with that key when you work with Git. You decrypt the data on your computer with the private key, which is never shared or sent over the network.
SSH is a great option if you've already got it set up on your system—just add a public key to Azure DevOps and clone your repos using SSH. If you don't have SSH set up on your computer, you should use PATs and HTTPS instead - it's secure and easier to set up.
Learn more about setting up SSH with Azure DevOps
Create an alternate user name and password to access your Git repository using alternate credentials. Unlike PATs, this login doesn't expire and can't be scoped to limit access to your Azure DevOps Services data. Use alternate credentials as a last resort when you can't use PATs or SSH keys.