Personal Access Token (PAT)
A secret string that authenticates a user with a service like GitHub or Figma in place of a password.
In one sentence
A Personal Access Token is a long random string that stands in for my password when a script or tool needs to talk to a service on my behalf.
What it is
A Personal Access Token (PAT) is a credential issued by a service (GitHub, Figma, GitLab, Atlassian, and many others) that authenticates API requests. Instead of sharing a password, I create a token with a specific scope and an expiration date, then paste it into a tool or environment variable.
Why it matters
Most integrations that touch a design system need a PAT somewhere: syncing tokens to GitHub, pulling component data from Figma, triggering a workflow. Passwords do not work for APIs, and putting a password in a config file would be unsafe anyway. PATs are the safer, scoped, revocable alternative.
Example
A typical GitHub PAT setup:
- Open GitHub, go to Settings, then Developer settings, then Personal access tokens
- Create a new fine-grained token with only the scopes I need (for example,
contents: read/writeon one repo) - Set an expiration of 30 or 90 days
- Copy the token once (it is shown exactly once) and paste it into a
.envfile asGITHUB_TOKEN=... - Reference it in scripts with
process.env.GITHUB_TOKEN
Then, when the token expires, I rotate it without changing any code.
Handle with care
- Treat a PAT like a password: never commit it to Git, never paste it in Slack
- Use the narrowest scope the task allows (read-only if possible)
- Set an expiration date so a forgotten token cannot live forever
- Store it in environment variables or a secrets manager, not in source code
- Rotate or revoke immediately if it ever leaks