Access github API in browser using personal access token

github.html

<!doctype html>
<html>
  <head>
    <meta charset="utf-8">
    <title>Taxfix Question Editor</title>
    <link href="https://fonts.googleapis.com/css?family=Roboto" rel="stylesheet">
  </head>
  <body>
    <div id='root'>
    </div>
    <script>
      const user = 'andrewn';

      // Generate token here: https://github.com/settings/tokens
      const token = '<token goes here>';
      const endpoint = 'https://api.github.com';

      const creds = `${user}:${token}`;
      const auth = btoa(creds);

      const options = {
        mode: 'cors',
        headers: {
          'Authorization': 'Basic ' + auth,
        }
      }

      const api = (resource) => {
        return fetch(`${endpoint}${resource}`, options)
          .then(
            response => response.json(),
            err => console.error('Error fetching', err)
          )
          .then(
            json => console.log('JSON', json),
            err => console.error('Error parsing', err)
          );
      }

      // Get info for this user
      api('/user');

      // Get pull requests from this repo
      api('/repos/taxfix/taxfix-question-editor/pulls');

    </script>
  </body>
</html>

I just came across this from Google and I just wanted to warn anyone reading this that you should never use a personal access token in the browser since you will have just exposed it publicly. If anyone has done this, immediately go refresh your token and then remove the code from your client side code.

Don't expose your token in browser!!!

Unnecessary scaremongering. No where the gist mentions to host the html on a public facing site. Runing something in the browser does not mean it is exposed publicly.

Its perfectly safe to use a personal access token in the browser for personal use.