GitHub App Installation Tokens: New Format Rolling Out April 27

TL;DR

• GitHub App installation tokens are getting a new format starting April 27, 2026 — tokens will grow from 40 to ~520 characters
• New format uses ghs_APPID_JWT structure instead of fixed-length strings
• If your code validates token length or uses regex patterns like ghs_[A-Za-z0-9]{36}, it will break — update now

What's Changing

• Token length — Installation tokens will expand from 40 characters to approximately 520 characters, with variable length based on embedded data
• Token format — New format is ghs_APPID_JWT, still prefixed with ghs_ but now includes a signed JWT payload
• Stateless design — JWT is signed by GitHub internally and contains installation, app, and validation details. Do not validate or parse it in your code

Rollout Timeline

• April 27 – mid-May 2026 — Staged rollout begins for GitHub Actions GITHUB_TOKEN and first-party integrations (Dependabot, Slack, Teams)
• Mid-May to late-June 2026 — Broader rollout to all GitHub App installation tokens, with brownout period to catch format-dependent integrations

What You Need to Do

• Remove any hardcoded token length checks — tokens are no longer exactly 40 characters
• Delete regex patterns that validate token format (e.g., ghs_[A-Za-z0-9]{36})
• Expand database columns storing tokens to at least 520 characters
• Treat tokens as opaque strings — never parse or validate their contents

Scope

• Applies to GitHub Enterprise Cloud and Data Residency only — GitHub Enterprise Server unaffected
• Existing tokens continue working until expiration
• User-to-server tokens (used in Copilot code review flows) will change later — details coming soon

Update: Review your GitHub App integrations now and audit for token format assumptions. See GitHub's authentication docs for implementation details.

Source: GitHub Changelog