I use a custom auth-source backend for querying the Unix pass utility (which I wrote because the now-built-in auth-source-pass backend suffers from several bugs/limitations which I have not yet addressed upstream).

One (under-documented) auth-source feature which my backend supports is the :require search property. Quoth the docstring of auth-source-search:

:require (A B C) means that only results that contain those
tokens will be returned.  Thus for instance requiring :secret
will ensure that any results will actually have a :secret
property.

No callers of ghub--auth-source-get currently specify the :require property. The effect of this is that Ghub unconditionally uses the first search result, even when I have multiple api.github.com tokens that differ only in the :user (AIUI, auth-source-search searches based on a union of all specified properties when :require is omitted; see (auth) Help for developers).

If ghub--token specified the :require property, then this would disambiguate the multiple api.github.com tokens I have. To address this, I currently intercept calls to ghub--auth-source-get and add the :require property myself using advice.

So I think that ghub--token should specify the :require property, but maybe I'm missing something? WDYT?

Sounds good.

Closing; see #61 (comment).