Accepting invitations to private repositories using the API with a fine grained personal access token

[TomNaessens]

Select Topic Area

Question

Body

Hi all,

I'm trying to accept invitations to a private repository through the API using a fine grained personal access token, but I'm running into some issues/inconsistencies. The API endpoint I'm using is https://docs.github.com/en/rest/collaborators/invitations?apiVersion=2022-11-28#accept-a-repository-invitation.

Using a "classic" access token, everything works as expected. I can accept the request through a curl shell command without any issues. I'm now trying to use a fine grained personal access token to achieve the same thing. I've set one using the docs above with the following permissions:

Using these, I'm able to list all open invites, but I'm unable to accept one. When trying that, I get the following json error result:

{
  "message": "Not Found",
  "documentation_url": "https://docs.github.com/rest/collaborators/invitations#decline-a-repository-invitation",
  "status": "404"
}

As mentioned, the same call, with a "classic" token just works fine, so the resource isn't the issue.

Logically, I don't really expect this to work since the permissions on the fine grained token are set to: "Private repository invitations: read-only", and there's no option to change it to "write". It would make sense that I'm able to list the invitations, but not accept/decline them because I only have read access.

However, I'm a bit confused by the documentation at this point. It starts by mentioning "Fine-grained access tokens for "Accept a repository invitation"", but then lists only "GitHub App user access tokens" in the list below, and then underneath that, it again claims that "The fine-grained token must have the following permission set: "Administration" repository permissions (write).".

So, summarised, two questions:

1. Am I expected to be able to accept/decline invitations using a fine grained personal access token? If so, what am I doing wrong?
2. Is the documentation correct here?

[Aldayanday1]

Hi! I understand the issue — the documentation here is a bit confusing and can feel misleading.

Fine-grained Personal Access Tokens (PATs) cannot be used to accept or decline repository invitations. Only GitHub App user access tokens (or a Classic PAT) are supported for this endpoint. The docs mix both token types, which makes it look like fine-grained PATs should work, but in reality they don’t.

Why your fine-grained PAT doesn’t work:

The permission “Private repository invitations” exists only in read-only mode for fine-grained PATs.

That’s why you can list invitations, but cannot accept/decline them.

The docs mention “Administration” permission (write), but that’s only available for GitHub Apps, not fine-grained PATs.

✅ Solutions (step-by-step)

Option A — Quickest: Use a Classic PAT

Go to Settings → Developer settings → Personal access tokens → Tokens (classic).

Generate a new token with scope: repo (or admin:repo_hook if required).

Use this token with the PATCH /user/repository_invitations/{invitation_id} endpoint.

Example:

curl -L
-X PATCH
-H "Accept: application/vnd.github+json"
-H "Authorization: Bearer <CLASSIC_PAT>"
-H "X-GitHub-Api-Version: 2022-11-28"
https://api.github.com/user/repository_invitations/INVITATION_ID

Success = HTTP 204.

Option B — Proper fine-grained approach: Use a GitHub App

Create a GitHub App in your user/org settings.

Give it Administration (write) permission for repositories.

Generate a GitHub App user access token.

Use this token with the same PATCH /user/repository_invitations/{invitation_id} endpoint.

Option C — Manual: Accept the invite via GitHub UI if this is not frequent.

In summary: Fine-grained PATs don’t fully cover all endpoints yet. Classic PATs or GitHub Apps are currently the only way to programmatically accept invitations. Hopefully GitHub will expand fine-grained PAT support in the future.

Apologies if there are any mistakes in my explanation — I just wanted to share a clear breakdown. I hope this helps! 🙏

[TomNaessens]

Thank you, that's clear!