Please see (auth)Top for all the gory details about Auth-Source. Some Ghub-specific information and important notes follow.
auth-sources controls how and where Auth-Source stores
new secrets and where it looks for known secrets. The default value
("~/.authinfo" "~/.authinfo.gpg" "~/.netrc"), which means that it
looks in all of these files in order to find secrets and that it
stores new secrets in
~/.authinfo because that is the first element of
the list. It doesn’t matter which files already do or don’t exist
when storing a new secret, the first file is always used.
Secrets are stored in
~/.authinfo in plain text. If you don’t want
that (good choice), then you have to customize
auth-sources, e.g. by
flipping the positions of the first two elements.
Auth-Source also supports storing secrets in various key-chains. Refer to its documentation for more information.
Some Auth-Source backends only support storing three values per entry, the "machine", the "login" and the "password". Because Ghub uses separate tokens for each package, it has to squeeze four values into those three slots, and it does that by using "USERNAME^PACKAGE" as the "login".
Assuming your username is "ziggy",the package is named "stardust", and you want to access Github.com an entry in one of the three mentioned files would then look like this:
machine api.github.com login ziggy^stardust password 012345abcdef...
Assuming your username is "ziggy",the package is named "stardust", and you want to access Gitlab.com an entry in one of the three mentioned files would then look like this:
machine gitlab.com/api/v4 login ziggy^stardust password 012345abcdef...