People who use Visual Studio Online for a while are probably familiar with the alternate credentials. These are used when accessing the REST API or when using an external client for accessing your Git repositories.
You configure your alternate credentials on your [My Profile] page and fill a username and password of your choice.
Once you enable your credentials, you can use these credentials when doing a REST call or (easier to test) clone a Git repository
This is great but not the most secure way of doing things.
Personal Access Tokens
In the update of July 7th, we now have the ability to use Personal Access Tokens as an alternative to the Alternate Credentials. Instead of sending our username and password over the wire we an now use a secure token that we can scope to a timeframe and to functionality within VSO. On the [My Profile] page you can configure one or more Personal Access Tokens. For example a token to access Code Features.
When you create the token, you see a token (only visible after creation !) that you should copy and keep safe.
This token alone is sufficient to authenticate against VSO. So when you now clone a Git repository you only have to fill in this token in the password box. Username can be empty or any value
The great thing is that you can revoke rights or the token afterwards and make sure that people cannot access stuff anymore.
Hope this helps!
The Road to ALM 
24 responses to “Using Personal Access Tokens to access Visual Studio Online”
How do you actually use one of these things? Do I just send the personal access token as the value of the authorization header in the request? Does it have to be formatted some certain way? I’m using Casablanca for a command line tool and I can’t get it to authenticate using a personal access token against the REST APIs. This all seems to be too new to have much around the net about using it, this and one other blog post announcing it are all I found. Any docs that get into the specifics of the handshake?
I used Postman in Google Chrone as App Postman sends the value in the header. Just like the basic authentication. Hope this helps !
[…] a Personal Access Token (PAT) to access Visual Studio Online through the app. Personal Access Tokens are a more secure way of […]
[…] also use the newly introduced personal access tokens (you can read more about that in this post of Rene van […]
Is there a way to set the access token in a config so I don’t have to copy paste it?
I know VSO is working on SSH support but in the meanwhile….
Thx.
What config do you mean ?
I use powershell to read token from config file and replace it to url like this https://token@xxx.visualstudio.com/DefaultCollection/XXX/_git/xxx
[…] Run tfx login. (requires PAT which can be created using these directions https://roadtoalm.com/2015/07/22/using-personal-access-tokens-to-access-visual-studio-online/) […]
[…] https://roadtoalm.com/2015/07/22/using-personal-access-tokens-to-access-visual-studio-online/ […]
[…] https://roadtoalm.com/2015/07/22/using-personal-access-tokens-to-access-visual-studio-online/ […]
Sorry for an irrelevant question! Which tool you used for drawing frame and curved line?
Paint.net 🙂
That tool is cool. Your article is great!
[…] See <need link to service endpoint reference or point to this in the short term this https://roadtoalm.com/2015/07/22/using-personal-access-tokens-to-access-visual-studio-online/> […]
[…] Run tfx login. (requires PAT which can be created using these directions https://roadtoalm.com/2015/07/22/using-personal-access-tokens-to-access-visual-studio-online/) […]
Silly Question :- )
But is this functionality also available in the normal “non-cloud version” of TFS 2015 ?
Nope…
Bummer.Thanks for your answer!
[…] Instead of the variable you get out of the box, you need to create a Personal Access Token (PAT). I describe how to do that in this blogpost […]
[…] I also have a RestToken as a parameter. When we do not use the Release pipeline, we can just send a Personal Access Token to use this script from the command line as […]
[…] First create a Personal Access Token (as described here ) […]
[…] First create a Personal Access Token (as described here ) […]
[…] Now that you have published your module to the Package Repo, you can use it in Powershell. To connect securely you need your VSTS user account (email) and Personal Access Token (See here how to generate one) […]
[…] Generate  a Personal Access Token to use the functionality of Package Management […]