Personal Access Token

Authenticate TFS and VSTS with PAT

Visual Studio Team Services (VSTS) is one of my favorite tool for source code management. It’s not just limited to that. It has appeal to everyone. From a large team to a small team to even a single developer!

If you’re using VSTS with Visual Studio then, you need not have to worry about this setup. VSTS is beautifully integrated with it. Visual Studio, directly, lets you sign-in to your VSTS or TFS account. However, if we have to use it outside Visual Studio, for ex, Visual Studio Code then, this authentication needs to be done manually!

For any application, which do not support Microsoft account or Azure AD authentication, VSTS needs to be authenticated by Personal Access Tokens (PAT).


Personal Access Tokens (PAT) acts as an alternate password. Just like any token, they do come with an expiration date. One of the advantage they provide over traditional sign-in process is that, we can limit the scope of the application. If we login using the traditional userId/password then, the application, by default gets full permission. However, this way, we can limit its scope.

Certain applications like, Visual Studio Code, require the, All scopes (full permission) option to function properly.

Create Personal Access Tokens (PAT)

Here are the steps to create a PAT:

  • Log-in to your VSTS/TFS account.
  • Launch the profile menu from the top ribbon and select, Security.
    VSTS Profile
  • You will be, by default, redirected to the PAT page itself. There are bunch of other options as well. However, in this blog, we’ll strictly focus on PAT only. Click on Add.
  • Provide a description, unique name, and select the number of days after which, the token will automatically expire.
    Create PAT
  • Select the scope for this token. Since, I’ll be using this token to authenticate VSTS from Visual Studio Code, I am selecting the All scopes option. However, depending upon your requirement, you can choose to limit the scope of any given PAT.
  • Once, the token is created, it will be displayed on the page only once, this time. It’s important to copy the password now, and store it safely for use, afterwards.

Revoke Personal Access Tokens (PAT)

Once the PAT is created, if you re-visit the page, the only available options now, will be to

  • revoke the current token,
  • re-configure the expiration date,
  • alter the description and,
  • modify the scopes of the token.

Hence, it’s really important to create a secure copy of the token, at the time of its creation. Thereafter, it will never be displayed.

Here are the steps to revoke a PAT, so as to drop/remove its access.

  • Navigate to the PAT landing page by following the steps described above.
  • The landing page will now, display a list of all the active PATs, by default.
    PAT List
  • Click on the cross icon of any given token to revoke its access. In this case, it’s VS Code.
  • A modal window will be prompted to confirm this action. Click the Revoke button.
    Revoke PAT

The given token has now been revoked. By selecting the option, Show Revoked Tokens, one can find the list of all the revoked tokens.
Revoked PATs

The action of revoking a PAT cannot be undone.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.