How can I create personal-access-tokens allowing to read pull request list on a public repository?

[matkoniecz]

Select Topic Area

Question

Body

Yes, I tried LLMs. They hallucinate stuff about nonexisting configurations. For example copilot suggested by Microsoft:

So, if your goal is to read pull requests from a public repository you don’t own, you can safely choose:

    Repository access: Only select repositories (or even All repositories — it doesn’t matter for public repos)
    Permissions:
        pull_requests → read
        metadata → read

while such permissions cannot be set (see screen below)

at least classic token with no additional permission works?

[MasteraSnackin]

For public repositories, you actually don't need to add any special permissions to your fine-grained personal access token. All tokens inherently have read-only access to public repositories by default.

The "Public repositories" option you selected under "Repository access" is sufficient. You can simply leave the Permissions section empty (with "No account permissions added yet") and click "Generate token".

The pull_requests and metadata permissions that Copilot suggested are only necessary when you need to access private repositories or when you need write access. For reading pull requests from a public repository, no additional permissions are required.

To summarize:

1. Select "Public repositories" under Repository access
2. Leave Permissions empty (or set to minimal)
3. Generate the token

You'll be able to use this token to call the GitHub API and list pull requests from any public repository, for example:

GET https://api.github.com/repos/{owner}/{repo}/pulls

Just include your token in the Authorization header and you're good to go!

[matkoniecz]

Just include your token in the Authorization header and you're good to go!

it fails with 403 error (specifically, it fails on https://api.github.com/repos/openstreetmap/id-tagging-schema/pulls?state=open&page=1&per_page=100 - the same code configured to use classic token works fine, it opens fine in browser)

[matkoniecz]

wait, for whatever reason I had headers['Authorization'] = f'token {github_token}' and replacing it with headers['Authorization'] = f'{github_token}' caused it to work again

no idea why classic required it and why I put it there and why previous token worked fine until it expired

either way it works now?

and thanks for pointing me to the correct code location in this rubberducking session

[RohanRajGupta]

For public repositories, a fine-grained PAT really does not need any extra permissions to read pull requests. Selecting “Public repositories” under Repository access is enough. You do not need pull_requests: read or metadata: read for this use case.

The actual issue in your case was the Authorization header format.

What went wrong

Classic PATs and fine-grained PATs behave differently here:

Classic PAT requires
Authorization: token
Fine-grained PAT requires
Authorization: Bearer

If you send a fine-grained PAT with token , GitHub responds with 403, even for public repos.

That explains why:

Classic token worked
Fine-grained token failed
Removing token accidentally made it work when GitHub inferred the scheme
Correct, explicit fix (recommended)
Use this header for fine-grained PATs:
Authorization: Bearer YOUR_FINE_GRAINED_TOKEN

Example request:

GET https://api.github.com/repos/openstreetmap/id-tagging-schema/pulls
Authorization: Bearer YOUR_FINE_GRAINED_TOKEN
Accept: application/vnd.github+json

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬

[yesalphahere]

Creating a PAT to Read Pull Requests on a Public Repo

---

Step-by-Step

1. Go to Token Settings

GitHub → Profile Picture → Settings → Developer Settings → Personal Access Tokens → Tokens (Fine-grained)

---

2. Create a New Token

Click "Generate new token" and fill in:

Field	What to Set
Token name	e.g. read-prs-myrepo
Expiration	Set a date (never = bad practice)
Resource owner	Your account or org
Repository access	Select "Only select repositories" → pick your repo

---

3. Set the Permission

Under Permissions → Repository Permissions find:

Pull Requests → Access: Read-only

That's the only permission you need.

---

4. Generate and Copy

Click "Generate token" — copy it immediately, GitHub will never show it again.

---

Using the Token to Fetch PRs

curl -H "Authorization: Bearer YOUR_TOKEN" \
     https://api.github.com/repos/OWNER/REPO/pulls

---

Important Notes

• For public repos, a PAT is technically optional for just reading — but required if you're hitting rate limits or automating
• Use Fine-grained PATs over Classic tokens — they're scoped per repo and far more secure
• Never commit your token to any repo — use environment variables or GitHub Secrets