To keep your credentials secure, you should regularly audit your SSH keys, deploy keys, and review authorized applications that access your GitHub account.
Reviewing your SSH keys
You can delete unauthorized (or possibly compromised) SSH keys to ensure that an attacker no longer has access to your repositories. You can also approve existing SSH keys that are valid.
- In the top right corner of any page, click your profile photo, then click Settings.
In the user settings sidebar, click SSH keys.

-
On the SSH Settings page, take note of the SSH keys associated with your account. For those that you don't recognize, or that are out-of-date, click Delete. If there are valid SSH keys you'd like to keep, click Approve.

Note: If you're auditing your SSH keys due to an unsuccessful Git operation, the unverified key that caused the SSH key audit error will be highlighted in the list of SSH keys.

Open Terminal.
-
Start SSH agent in the background.
eval "$(ssh-agent -s)" Agent pid 59566
-
Find and take a note of your public key fingerprint. If you're using OpenSSH 6.7 or older:
ssh-add -l 2048 a0:dd:42:3c:5a:9d:e4:2a:21:52:4e:78:07:6e:c8:4d /Users/USERNAME/.ssh/id_rsa (RSA)
If you're using OpenSSH 6.8 or newer:
ssh-add -l -E md5 2048 MD5:a0:dd:42:3c:5a:9d:e4:2a:21:52:4e:78:07:6e:c8:4d /Users/USERNAME/.ssh/id_rsa (RSA)
The SSH keys on GitHub should match the same keys on your computer.
- In the top right corner of any page, click your profile photo, then click Settings.
In the user settings sidebar, click SSH keys.

-
On the SSH Settings page, take note of the SSH keys associated with your account. For those that you don't recognize, or that are out-of-date, click Delete. If there are valid SSH keys you'd like to keep, click Approve.

Note: If you're auditing your SSH keys due to an unsuccessful Git operation, the unverified key that caused the SSH key audit error will be highlighted in the list of SSH keys.

Open the command line.
-
If you are using Git Bash, turn on ssh-agent:
# start the ssh-agent in the background eval "$(ssh-agent -s)" Agent pid 59566
If you are using another terminal prompt, such as Git for Windows, turn on ssh-agent:
# start the ssh-agent in the background eval $(ssh-agent -s) Agent pid 59566
-
Find and take a note of your public key fingerprint. If you're using OpenSSH 6.7 or older:
ssh-add -l 2048 a0:dd:42:3c:5a:9d:e4:2a:21:52:4e:78:07:6e:c8:4d /Users/USERNAME/.ssh/id_rsa (RSA)
If you're using OpenSSH 6.8 or newer:
ssh-add -l -E md5 2048 MD5:a0:dd:42:3c:5a:9d:e4:2a:21:52:4e:78:07:6e:c8:4d /Users/USERNAME/.ssh/id_rsa (RSA)
The SSH keys on GitHub should match the same keys on your computer.
- In the top right corner of any page, click your profile photo, then click Settings.
In the user settings sidebar, click SSH keys.

-
On the SSH Settings page, take note of the SSH keys associated with your account. For those that you don't recognize, or that are out-of-date, click Delete. If there are valid SSH keys you'd like to keep, click Approve.

Note: If you're auditing your SSH keys due to an unsuccessful Git operation, the unverified key that caused the SSH key audit error will be highlighted in the list of SSH keys.

Open Terminal.
-
Start SSH agent in the background.
eval "$(ssh-agent -s)" Agent pid 59566
-
Find and take a note of your public key fingerprint. If you're using OpenSSH 6.7 or older:
ssh-add -l 2048 a0:dd:42:3c:5a:9d:e4:2a:21:52:4e:78:07:6e:c8:4d /Users/USERNAME/.ssh/id_rsa (RSA)
If you're using OpenSSH 6.8 or newer:
ssh-add -l -E md5 2048 MD5:a0:dd:42:3c:5a:9d:e4:2a:21:52:4e:78:07:6e:c8:4d /Users/USERNAME/.ssh/id_rsa (RSA)
The SSH keys on GitHub should match the same keys on your computer.
Warning: If you see an SSH key you're not familiar with on GitHub, delete it immediately and contact GitHub support for further help. An unidentified public key may indicate a possible security concern.
Reviewing your deploy keys
Delete unauthorized (or possibly compromised) deploy keys to ensure that an attacker no longer has access to your repositories. You can also approve existing deploy keys that are valid.
On GitHub, navigate to the main page of the repository.
Under your repository name, click Settings.

In the left sidebar, click Deploy keys.

- On the Deploy keys page, take note of the deploy keys associated with your account. For those that you don't recognize, or that are out-of-date, click Delete. If there are valid deploy keys you'd like to keep, click Approve.
For more information on managing deploy keys, check out our guide on deploy keys.
Reviewing your authorized applications (OAuth)
Review your authorized applications to verify that no new applications with expansive permissions are authorized, such as those that have access to your private repositories.
In the user settings sidebar, click Applications.

On the Applications Settings page, under Authorized Applications, review the tokens that have access to your account. For those that you don't recognize, or that are out-of-date, click Revoke. To revoke all tokens, click Revoke all.


