@ndintenfass thanks for your reply but I have to disagree with you. GitHub does return 401 unauthorized on any request if the access token in use is invalid. I do not see how replying with 401 to invalid tokens might reveal any sensitive info.
Here is an example:
curl -v -H "Authorization: token some-invalid-token" https://api.github.com/repos/valid-org/valid-private-repo
< HTTP/1.1 401 Unauthorized
< Content-Type: application/json; charset=utf-8
{
"message": "Bad credentials",
"documentation_url": "https://developer.github.com/v3"
}
