Update README.md

Author: D1M1TR10S

README.md

@@ -101,22 +101,57 @@ See [Remote Server Documentation](docs/remote-server.md) on how to pass addition
 3. Lastly you will need to [Create a GitHub Personal Access Token](https://github.com/settings/personal-access-tokens/new).
 The MCP server can use many of the GitHub APIs, so enable the permissions that you feel comfortable granting your AI tools (to learn more about access tokens, please check out the [documentation](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens)).
 
-<details><summary><b>Securely Storing Your GitHub PATs</b></summary>
+<details><summary><b>Handling PATs Securely</b></summary>
 
+## Environment Variables (Recommended)
 To keep your GitHub PAT secure and reusable across different MCP hosts:
 
-1. Save your GitHub PAT in a `.env` file
-```env
-GITHUB_PAT=your_token_here
-```
-2. Ensure `.env` is in your `.gitignore` file to prevent accidental commits.
-3. Source the environment variable
-```bash
-source .env
-```
-4. You can now reference the token using `$GITHUB_PAT` (or any variable name you choose) in CLI commands or config files.
+1. **Store your PAT in environment variables**
+   ```bash
+   export GITHUB_PAT=your_token_here
+   ```
+   Or create a `.env` file:
+   ```env
+   GITHUB_PAT=your_token_here
+   ```
+
+2. **Protect your `.env` file**
+   ```bash
+   # Add to .gitignore to prevent accidental commits
+   echo ".env" >> .gitignore
+   ```
+
+3. **Reference the token in configurations**
+   ```bash
+   # CLI usage
+   claude mcp update github -e GITHUB_PERSONAL_ACCESS_TOKEN=$GITHUB_PAT
+   
+   # In config files (where supported)
+   "env": {
+     "GITHUB_PERSONAL_ACCESS_TOKEN": "$GITHUB_PAT"
+   }
+   ```
 
- > Note: the syntax and support for environment variables varies by host app and IDE. Make sure to refer to their documentation for guidance on the proper method for secure token storage and environment variables.
+> **Note**: Environment variable support varies by host app and IDE. Some applications (like Windsurf) require hardcoded tokens in config files.
+
+## Token Security Best Practices
+
+- **Minimum scopes**: Only grant necessary permissions
+  - `repo` - Repository operations
+  - `read:packages` - Docker image access
+- **Separate tokens**: Use different PATs for different projects/environments
+- **Regular rotation**: Update tokens periodically
+- **Never commit**: Keep tokens out of version control
+- **File permissions**: Restrict access to config files containing tokens
+  ```bash
+  chmod 600 ~/.your-app/config.json
+  ```
+
+## Required Scopes
+For GitHub MCP Server functionality, your PAT needs:
+- `repo` - Full repository access
+- `read:org` - Organization membership (if accessing org repos)
+- `workflow` - GitHub Actions access (if using workflow tools)
 
 </details>