GitHub has introduced a temporary request header, X — GitHub-Stateless-S2S-Token, that overrides the server — side rollout for GitHub App installation tokens on a single POST /app/installations/:installation_id/access_tokens request. The change follows an April 2026 rollout plan and is intended to let teams validate integrations against either token format before the new format is applied to their apps.
The header supports three behaviors: setting the value to enabled returns a stateless, JWT-format token regardless of rollout status; setting it to disabled returns a stateful, opaque token even if your app is included in the rollout; omitting the header yields normal rollout behavior. Any other header value is silently ignored and treated as absent. This override applies specifically to the REST API endpoint that creates installation access tokens for apps.
The new stateless tokens carry the ghs_ prefix and are JWT-format strings: they are substantially longer (around 520 characters) and include two dots. By contrast, the existing stateful tokens are short opaque strings with no dots. At runtime, you can distinguish them by checking for two dots after the ghs_ prefix (JWT) versus no dots (opaque). Existing installation tokens remain valid until they expire.
Builders must update token handling to avoid failures when the rollout reaches them. GitHub recommends removing hardcoded token — length assumptions, accepting tokens that include additional underscores and dots, and treating ghs_ tokens as opaque strings for introspection rather than attempting to parse JWT claims. The recommended regex to match both formats is ghs_[A — Za-z0-9\._]{36,}. Teams should ensure databases and header storage allow at least 520 characters to accommodate the longer JWT-format tokens.
The change covers GitHub Enterprise Cloud and Data Residency environments; GitHub Enterprise Server is not impacted. Upcoming rollout phases will apply the new token format to server — to-server tokens for GitHub Apps, including Actions' GITHUB_TOKEN. Separately, GitHub said it will share details in coming weeks about planned format changes for user-to-server tokens used in Copilot code review flows.
Practical steps for teams are to test proactively: send X — GitHub-Stateless-S2S-Token: enabled to validate end-to-end handling of stateless tokens and send disabled to confirm graceful degradation to opaque tokens. The header is temporary and will be deprecated at a later date; remove the override from production once both formats are validated. If the change disrupts workflows, contact GitHub Support or join the discussion in the GitHub Community.
Sources
Replies (0)
No replies in this topic yet.
