GitHub MCP Server Authentication Guide
If GitHub MCP Server is installed but not working correctly, the problem is often authentication. This guide explains how GitHub MCP auth works, which token scopes matter, how classic and fine-grained tokens differ, and how to debug private repository access problems.
For the full installation walkthrough, see GitHub MCP Server Setup. For general MCP installation help, read How to Install MCP Servers.
How GitHub MCP authentication works
In most local Claude Desktop setups, GitHub MCP Server authenticates with a GitHub Personal Access Token passed through the GITHUB_PERSONAL_ACCESS_TOKEN environment variable. The server then uses that token to decide which GitHub APIs it can access and, in some cases, which MCP tools it should expose.
In remote GitHub MCP setups, OAuth can also be used. GitHub's own MCP docs note that remote flows may default to one-click OAuth, while PATs remain available for manual configuration and local setups.
Recommended token scopes
For most developer workflows in Claude Desktop, the recommended classic token baseline is:
| Scope | Why it matters |
|---|---|
repo | Grants access to private repositories and many repo-level operations. |
read:org | Helps the server read organization membership and org-level visibility. |
read:user | Provides basic user account information needed for account-aware operations. |
According to GitHub MCP Server's scope filtering documentation, some scopes imply others. For example, repo implicitly includes public_repo and security_events.
Classic vs fine-grained tokens
Classic PAT
Classic personal access tokens use broad scopes like repo and read:org. They are easier to configure and remain the simplest choice for most GitHub MCP Server tutorials.
The official GitHub MCP Server can also filter visible tools at startup based on the scopes available in a classic token.
Fine-grained PAT
Fine-grained tokens let you restrict access to selected repositories and narrower permission sets. They are safer in principle, especially for enterprise or multi-repo environments.
The tradeoff is setup complexity. If you forget a required repository permission, GitHub MCP may authenticate successfully but fail on specific actions like reading pull requests or modifying issues.
Private repository access
A very common support issue is that GitHub MCP Server appears to work, but Claude cannot see a private repository. In most cases, the token simply lacks sufficient repository permissions. A token with only public access can still authenticate successfully while failing on private repo operations.
If you use a fine-grained token, confirm that the specific repositories are included and that the repository-level permissions cover the actions you want Claude to perform. For example, pull request access or issues access may need to be granted explicitly depending on your workflow.
How to check your token scopes
GitHub MCP's own scope filtering docs show a simple way to inspect the scopes attached to your token by checking the GitHub API response headers.
curl -sI -H "Authorization: Bearer $GITHUB_PERSONAL_ACCESS_TOKEN" \ https://api.github.com/user | grep -i x-oauth-scopes
This command helps confirm whether your token actually contains the scopes you think it does.
Why some tools may be missing
GitHub MCP Server includes automatic scope-aware behavior. In the official server configuration docs, GitHub explains that classic PATs can cause tools to be filtered at startup based on granted scopes. OAuth flows handle missing permissions differently by prompting for additional authorization when needed.
That means a missing tool is not always a server bug. Sometimes it is a sign that your token permissions are narrower than the workflow you want to perform.
Common authentication errors
Token is valid, but private repos are invisible
Your token likely lacks repo access or the fine-grained token is not scoped to the correct repositories.
Some tools are missing in Claude
If you use a classic PAT, the official GitHub MCP server may be filtering tools based on the scopes the token provides.
Issue or PR actions fail
The token may authenticate correctly but still lack the permission set needed for pull requests, issues, or repository writes.
The token works in GitHub CLI but not in MCP
Check whether the token is being passed into the MCP server environment variable correctly. A typo in the env block is common.
Auth seems correct, but Claude still fails
Fully restart Claude Desktop after changing the config. MCP servers often keep the old environment until the client restarts.
Best practices for safer auth
Use least privilege
Start with the minimum repository and org access needed for your workflow instead of granting everything by default.
Separate work and personal tokens
Use distinct tokens for company repositories and personal projects so you can rotate or revoke them independently.
Prefer fine-grained tokens for sensitive setups
If your environment is security-sensitive, fine-grained tokens are worth the extra configuration effort.
Related Guides
Frequently asked questions
How does GitHub MCP Server authentication work?▾
GitHub MCP Server can authenticate with a Personal Access Token or, in some remote setups, OAuth. Most Claude Desktop and local npx setups use a GitHub Personal Access Token stored in the server environment variables.
Which token scopes do I need for GitHub MCP Server?▾
For most Claude workflows, the practical baseline is repo, read:org, and read:user. These scopes cover private repositories, organization visibility, and basic user-level account access.
Can GitHub MCP Server access private repositories?▾
Yes, but only if the token has the right repository permissions. A token without repo access may still work for public resources while failing on private repository operations.
What is the difference between classic and fine-grained GitHub tokens?▾
Classic tokens use broad scopes like repo and read:org. Fine-grained tokens let you limit access to specific repositories and narrower permissions. Fine-grained tokens can be safer, but they are also easier to misconfigure if you miss a required permission.
Why are some GitHub MCP tools missing in Claude?▾
The official GitHub MCP server can filter visible tools based on the scopes available in a classic Personal Access Token. If the token does not grant enough access, some tools may not appear or may fail when called.
How do I check what scopes my GitHub token has?▾
You can inspect the token scopes by sending an authenticated request to the GitHub API and reading the x-oauth-scopes response header.
Go back to the GitHub MCP tool page
Browse the MCPIndex GitHub MCP listing for setup JSON, use cases, steps, and direct links to related guides.