What makes me the most happy about this is that they ask for the password in order to add a key now.
I was always very afraid of XSS attacks (I know - there shouldn't be any - but there could and were, though not for this) that would add another key, so I always hoped they would add that additional bit of protection.
As such: Another huge thanks to @homakov for forcing the issue.
Note to sibling comment by SaltwaterC: a previous negatively-voted comment (https://news.ycombinator.com/item?id=3593799) got your account auto-killed.
SaltwaterC 5 hours ago | link [dead]
The API token is still there, in the "plain": https://github.com/settings/admin
Fetching it via XSS should be fairly trivial. Via a simple script in that page is straight forward. Still have to see if I can get it via XHR :).