We are facing issue with our Github connector it was working fine from last couple of month for github organization but suddenly it starts through an error "token is unauthorized "for org and same error we are getting in both the environment, we have already checked PAT token for both environment those are not expired anyone also facing similar issue. We tried to created new PAT token it is still throwing same error
Hey Shweta, since this hit both environments at once with tokens that aren’t expired, I would look at the GitHub org side, not the token.
I think most likely cause: SAML SSO authorization. If your org has SSO on, every classic PAT needs to be authorized for that org separately from being valid, which is also why a brand new PAT failed the same way, it hits the same wall until authorized. Check Sign in to GitHub · GitHub, there’s a “Configure SSO” option next to the token, click through it and authorize it for the org.
The fastest way to tell whether this is GitHub-side or SailPoint-side is to test the token directly outside ISC:
If that comes back 403 or 404, or you see an X-GitHub-SSO header in the response, that confirms it’s the org rejecting the token and ISC will fail the same way no matter what you change on the connector side. Once that call returns 200, drop the same token into the source and retest the connection. If it works outside ISC but still fails inside, that’s when it’s worth opening a case with SailPoint and including the requestId from the error.
If your org doesn’t use SSO, check whether the token owner still has full access in the org, or whether a PAT policy got changed recently, both can block a token without it ever expiring.
Got it. I would separate two things here: a token being valid and a token being authorized for a specific GitHub org are not always the same check.
If the token was tested only against /user or any basic GitHub endpoint, that only confirms the PAT is active and not expired. It does not fully confirm that the same PAT is allowed to access that org. Can you test the same PAT directly against the org endpoint:
If that returns 403 or 404, or if the response has an X-GitHub-SSO header, then the token is being blocked at the GitHub org level, not by SailPoint. If SAML SSO is enabled for the org, the PAT needs to be authorized for that org separately from the token itself being valid.
If your org does not use SSO, I would ask the GitHub org admin to check whether anything changed recently around classic PAT access, PAT approval, or token lifetime policy. Since this started suddenly in both environments, that feels more likely than a SailPoint-side config issue.
Also double-check the PAT has the required SailPoint GitHub connector scopes, mainly admin:org and user.
If the org endpoint returns 200 with the same token, then GitHub is accepting the token for that org at least at the basic org level. In that case, I would collect the connector requestId, timestamp, source config details, and the API test result, then raise it with SailPoint Support to confirm which GitHub API call is failing inside the connector.
Same issue here. The API call is successful when ran locally using “curl” but from Sailpoint “Test Connection” in the source, it fails. Only started to fail about 2 days ago and no changes to PAT on github side.
Hello Shweta,
Since @wanderalvarenga and @colsergesfa are also seeing the same issue now, and Colin confirmed the same API call works locally with curl but fails only from SailPoint Test Connection, this does not look like an individual GitHub authorization or token configuration issue anymore.
I think it is better to raise this with SailPoint Support now, so they can check the GitHub connector/runtime side and confirm if anything has changed recently.