GitHub Personal Access Token (Classic & Fine-Grained) Regex for Python

What this pattern does

This page provides a well-structured, multi-part regular expression for matching github personal access token (classic & fine-grained), ported and verified for Python. In security-sensitive code, using an unverified regex can open the door to both false positives and denial-of-service attacks. The snippet below is ready to drop into your Python project — whether you're validating in a Django view, a FastAPI endpoint, or a standalone data processing script.

Python Implementation

# GitHub Personal Access Token (Classic & Fine-Grained)
# ReDoS-safe | RegexVault — Security > API Keys & Tokens

import re

github_personal_access_token_classic_finegrained_pattern = re.compile(r'^(ghp_|gho_|ghs_|ghr_|github_pat_)[A-Za-z0-9_]{20,80}$')

def validate_github_personal_access_token_classic_finegrained(value: str) -> bool:
    return bool(github_personal_access_token_classic_finegrained_pattern.fullmatch(value))

# Example
print(validate_github_personal_access_token_classic_finegrained("ghp_aBcDeFgHiJkLmNoPqRsTuVwXyZ012345"))  # True

Test Cases

When to use this pattern

This pattern is drawn from the Security > API Keys & Tokens category and carries a ReDoS-safe certification. That matters for Python developers because particularly important in Python web servers where CPU-bound regex operations can stall concurrent request handling. RegexVault audits patterns against known backtracking attack vectors, ensuring you have the necessary context before using this regex in a high-stakes production environment.

Common Pitfalls

Technical Notes

GitHub token prefixes: ghp_=personal access token (classic), gho_=OAuth token, ghs_=GitHub App installation token, ghr_=refresh token, github_pat_=fine-grained PAT (newer format). Fine-grained PATs are scoped to specific repos and operations.