Personal Access Token (PAT)
A secret string that authenticates a user with a service like GitHub or Figma in place of a password.
In one sentence
A Personal Access Token is a long random string that stands in for my password when a script or tool needs to talk to a service on my behalf.
What it is
A Personal Access Token (PAT) is a credential issued by a service (GitHub, Figma, GitLab, Atlassian, and many others) that authenticates API requests. Instead of sharing a password, I create a token with a specific scope and an expiration date, then paste it into a tool or environment variable.
It is the key card you issue a contractor instead of lending them your own. It opens only the rooms the job needs, it expires on a set date, and if it goes missing you cancel that one card, not the whole building. Sharing your password is handing over the master key.
Why it matters
Most integrations that touch a design system need a PAT somewhere: syncing tokens to GitHub, pulling component data from Figma, triggering a workflow. Passwords do not work for APIs, and putting a password in a config file would be unsafe anyway. PATs are the safer, scoped, revocable alternative.
Example
A typical GitHub PAT setup:
- Open GitHub, go to Settings, then Developer settings, then Personal access tokens
- Create a new fine-grained token with only the scopes I need (for example,
contents: read/writeon one repo) - Set an expiration of 30 or 90 days
- Copy the token once (it is shown exactly once) and paste it into a
.envfile asGITHUB_TOKEN=... - Reference it in scripts with
process.env.GITHUB_TOKEN
Then, when the token expires, I rotate it without changing any code.
Handle with care
- Treat a PAT like a password: never commit it to Git, never paste it in Slack
- Use the narrowest scope the task allows (read-only if possible)
- Set an expiration date so a forgotten token cannot live forever
- Store it in environment variables or a secrets manager, not in source code
- Rotate or revoke immediately if it ever leaks