Skip to main content

Overview

Gitea API supports multiple authentication methods to secure access to your resources. The recommended method is using personal access tokens with the Authorization header.

Authentication Methods

Gitea supports the following authentication methods:
  1. Authorization Header Token (Recommended)
  2. HTTP Basic Authentication
  3. OAuth2
  4. Query Parameters (Deprecated)

Personal Access Tokens

Creating a Token

Personal access tokens are the recommended way to authenticate with the Gitea API.
  1. Log in to your Gitea instance
  2. Navigate to SettingsApplicationsAccess Tokens
  3. Click Generate New Token
  4. Enter a token name and select the required scopes
  5. Click Generate Token
  6. Copy the token immediately (it won’t be shown again)
Store your access tokens securely. They provide the same level of access as your password for the scopes you’ve granted.

Using Tokens in Requests

The recommended way to use tokens is via the Authorization header with the token prefix:

Token Scopes

Tokens can be created with specific scopes to limit their permissions:
The API automatically determines the required access level (read/write) based on the HTTP method. GET requests require read access, while POST/PUT/PATCH/DELETE require write access.

Public-Only Scopes

Tokens can be restricted to public resources only by appending :public to the scope:
  • read:repository:public - Only access public repositories
  • read:organization:public - Only access public organizations
  • read:user:public - Only access public user information

HTTP Basic Authentication

Basic authentication uses your Gitea username and password (or token).
HTTP Basic Authentication is supported but not recommended for API usage. Use personal access tokens with the Authorization header instead.

Two-Factor Authentication (2FA)

If two-factor authentication is enabled on your account, include the TOTP code in the X-GITEA-OTP header:

OAuth2 Authentication

Gitea supports OAuth2 for third-party application authentication.

Creating an OAuth2 Application

  1. Go to SettingsApplicationsOAuth2 Applications
  2. Click Create a new OAuth2 Application
  3. Enter application details and redirect URI
  4. Note the Client ID and Client Secret

OAuth2 Flow

  1. Authorization Request:
  1. Token Exchange:
  1. Use Access Token:
OAuth2 tokens are JWT (JSON Web Tokens) and contain a dot (.) in the token string.

Query Parameter Authentication (Deprecated)

Query parameter authentication is deprecated and will be removed in Gitea 1.23. Migrate to Authorization header authentication.
Historically, tokens could be passed as query parameters:
If query parameter authentication is disabled via DISABLE_QUERY_AUTH_TOKEN=true, these requests will fail with a warning in the server logs.

Sudo / Impersonation

Administrators can perform API requests on behalf of other users using the sudo feature.

Using Sudo Header

Using Sudo Query Parameter

Sudo functionality requires administrator privileges. Non-admin users will receive a 403 Forbidden error.

Actions Authentication

Gitea Actions workflows can authenticate using automatic task tokens:
Task tokens are:
  • Automatically generated for running workflows
  • Scoped to the repository where the action is running
  • Valid only while the task is in “running” status

Testing Authentication

Test your authentication by retrieving your user information:

Security Best Practices

Use HTTPS

Always use HTTPS in production to prevent token interception

Scope Tokens

Grant minimal necessary scopes to access tokens

Rotate Tokens

Regularly rotate tokens and revoke unused ones

Secure Storage

Never commit tokens to version control or expose in logs

Managing Tokens via API

You can manage access tokens programmatically:

List Tokens

Create Token

Delete Token

Creating and deleting tokens requires Basic Authentication or Reverse Proxy authentication. You cannot use a token to create another token.

Troubleshooting

401 Unauthorized

  • Verify the token is correct and not expired
  • Check that the token hasn’t been revoked
  • Ensure you’re using the correct authentication method

403 Forbidden

  • Verify the token has the required scopes
  • Check if the account is active and not prohibited from login
  • Ensure 2FA requirements are met if enforced
  • For sudo requests, verify admin privileges

Deprecation Warnings

If you see X-Gitea-Warning headers about deprecated authentication:
Migrate to using the Authorization header:

Next Steps

API Reference

Explore available API endpoints

Webhooks

Set up webhooks for event notifications