docs/content/apps/creating-github-apps/authenticating-with-a-github-app/generating-a-user-access-token-for-a-github-app.md

title, intro, versions, topics, shortTitle

title	intro	versions	topics	shortTitle
Generating a user access token for a GitHub App	You can generate a user access token for your {% data variables.product.prodname_github_app %} in order to attribute app activity to a user.	fpt ghes ghae ghec * * * *	GitHub Apps	Generate a user access token

About user access tokens

{% data reusables.pre-release-program.expiring-user-access-tokens %}

A user access token is a type of OAuth token. Unlike a traditional OAuth token, the user access token does not use scopes. Instead, it uses fine-grained permissions. A user access token only has permissions that both the user and the app have. For example, if the app was granted permission to write the contents of a repository, but the user can only read the contents, then the user access token can only read the contents.

Similarly, a user access token can only access resources that both the user and app can access. For example, if an app is granted access to repository A and B, and the user can access repository B and C, the user access token can access repository B but not A or C. You can use the REST API to check which installations and which repositories within an installation a user access token can access. For more information, see GET /user/installations and GET /user/installations/{installation_id}/repositories in "AUTOTITLE."

When you make API requests with a user access token, the rate limits for user access tokens apply. For more information, see "AUTOTITLE."

By default, the user access token expires after 8 hours. You can use a refresh token to regenerate a user access token. For more information, see "AUTOTITLE."

Users can revoke their authorization of a {% data variables.product.prodname_github_app %}. For more information, see "AUTOTITLE." If a user revokes their authorization of a {% data variables.product.prodname_github_app %}, the app will receive the github_app_authorization webhook. {% data variables.product.prodname_github_apps %} cannot unsubscribe from this event. If your app receives this webhook, you should stop calling the API on behalf of the user who revoked the token. If your app continues to use a revoked access token, it will receive the 401 Bad Credentials error. For more information about this webhook, see "AUTOTITLE"

Using the web application flow to generate a user access token

If your app runs in the browser, you should use the web application flow to generate a user access token.

1. Direct the user to this URL, and add any necessary query parameters from the following list of parameters: {% data variables.product.oauth_host_code %}/login/oauth/authorize. For example, this URL specifies the client_id and state parameters: {% data variables.product.oauth_host_code %}/login/oauth/authorize?client_id=12345&state=abcdefg.

   Query parameter	Type	Description
   client_id	string	Required. The client ID for your {% data variables.product.prodname_github_app %}. The client ID is different from the app ID. You can find the client ID on the settings page for your app. For user-owned apps, the settings page is https://github.com/settings/apps/APP-SLUG. For organization-owned apps, the settings page is https://github.com/organizations/ORGANIZATION/settings/apps/APP-SLUG. Replace APP-SLUG with the sluggified name of your app and ORGANIZATION with the sluggified name of your organization. For example, https://github.com/organizations/octo-org/settings/apps/octo-app.
   redirect_uri	string	The URL in your application where users will be sent after authorization. This must be an exact match to one of the URLs you provided as a "Callback URL" in your app's settings and can't contain any additional parameters.
   state	string	When specified, the value should contain a random string to protect against forgery attacks, and it can also contain any other arbitrary data.
   login	string	When specified, the web application flow will prompt users with a specific account they can use for signing in and authorizing your app.
   allow_signup	boolean	Whether unauthenticated users will be offered an option to sign up for {% data variables.product.prodname_dotcom %} during the OAuth flow. The default is true. Use false when a policy prohibits signups.

2. If the user accepts your authorization request, {% data variables.product.company_short %} will redirect the user to one of the callback URLs in your app settings, and provide a code query parameter you can use in the next step to create a user access token. If you specified redirect_uri in the previous step, that callback URL will be used. Otherwise, the first callback URL on your app's settings page will be used.

   If you specified the state parameter in the previous step, {% data variables.product.company_short %} will also include a state parameter. If the state parameter does not match the state parameter that you sent in the previous step, the request cannot be trusted, and the web application flow should be aborted.

{% data reusables.apps.web-app-flow-exchange-code %}

{% data reusables.apps.web-app-flow-token-response %}

{% data reusables.apps.user-access-token-example-request %}

Using the device flow to generate a user access token

{% note %}

Note: The device flow is in public beta and subject to change.

{% endnote %}

If your app is headless or does not have access to a browser, you should use the device flow to generate a user access token. For example, CLI tools or Git credential mangers should use the device flow.

{% ifversion device-flow-is-opt-in %}Before you can use the device flow to identify and authorize users, you must first enable it in your app's settings. For more information on enabling device flow, see "AUTOTITLE." {% endif %}

The device flow uses the OAuth 2.0 Device Authorization Grant.

1. Send a POST request to {% data variables.product.oauth_host_code %}/login/device/code along with a client_id query parameter. The client ID is different from the app ID. You can find the client ID on the settings page for your app.

   • For user-owned apps, the settings page is https://github.com/settings/apps/APP-SLUG.
   • For organization-owned apps, the settings page is https://github.com/organizations/ORGANIZATION/settings/apps/APP-SLUG.

   Replace APP-SLUG with the sluggified name of your app and ORGANIZATION with the sluggified name of your organization. For example, https://github.com/organizations/octo-org/settings/apps/octo-app.

2. {% data variables.product.company_short %} will respond with a response that includes the following parameters:

   Response parameter	Type	Description
   device_code	string	A verification code that is used to verify the device. This code is 40 characters long.
   user_code	string	A verification code that your application should display so that the user can enter the code in a browser. This code is 8 characters with a hyphen in the middle. For example, WDJB-MJHT.
   verification_uri	string	The URL where users need to enter their user_code. The URL is: {% data variables.product.device_authorization_url %}.
   expires_in	integer	The number of seconds before the device_code and user_code expire. The default is 900 seconds (15 minutes).
   interval	integer	The minimum number of seconds that must pass before you can make a new access token request (POST {% data variables.product.oauth_host_code %}/login/oauth/access_token) to complete the device authorization. If you make a request before this interval passes, then you will hit the rate limit and receive a slow_down error. The default is 5 seconds.

3. Prompt the user to enter the user_code from the previous step at {% data variables.product.device_authorization_url %}.

   If the user does not enter the code before the expires_in time passes, the code will be invalid. In this case, you should restart the device flow.

4. Poll POST {% data variables.product.oauth_host_code %}/login/oauth/access_token along with the client_id, device_code, and grant_type query parameters (described below) until the device and user codes expire or the user has successfully authorized the app by entering the user_code.

   Query parameter	Type	Description
   client_id	string	Required. The client ID for your {% data variables.product.prodname_github_app %}.
   device_code	string	Required. The device verification code you received in the previous step.
   grant_type	string	Required. The grant type must be urn:ietf:params:oauth:grant-type:device_code.

   Do not poll this endpoint at a higher frequency than the frequency indicated by interval. If you do, you will hit the rate limit and receive a slow_down error. The slow_down error response adds 5 seconds to the last interval.

5. Once the user has entered the user_code, {% data variables.product.company_short %} will respond with a response body that includes the following parameters:

   {% data reusables.apps.user-access-token-response-parameters %}

{% data reusables.apps.user-access-token-example-request %}

Error codes for the device flow

Error code	Description
authorization_pending	This error occurs when the authorization request is pending and the user hasn't entered the user code yet. The app is expected to keep polling the POST {% data variables.product.oauth_host_code %}/login/oauth/access_token at a frequency no faster than the frequency specified by interval.
slow_down	When you receive the slow_down error, 5 extra seconds are added to the minimum interval or timeframe required between your requests using POST {% data variables.product.oauth_host_code %}/login/oauth/access_token. For example, if the starting interval required at least 5 seconds between requests and you get a slow_down error response, you must now wait a minimum of 10 seconds before making a new request for a token. The error response includes the new interval that you must use.
expired_token	If the device code expired, then you will see the token_expired error. You must make a new request for a device code.
unsupported_grant_type	The grant type must be urn:ietf:params:oauth:grant-type:device_code and included as an input parameter when you poll the OAuth token request POST {% data variables.product.oauth_host_code %}/login/oauth/access_token.
incorrect_client_credentials	For the device flow, you must pass your app's client ID, which you can find on your app settings page. The client ID is different from the app ID and client secret.
incorrect_device_code	The device_code provided is not valid.
access_denied	When a user clicks cancel during the authorization process, you'll receive an access_denied error, and the user won't be able to use the verification code again.{% ifversion device-flow-is-opt-in %}
device_flow_disabled	Device flow has not been enabled in the app's settings. For more information on enabling device flow, see "AUTOTITLE."{% endif %}

Generating a user access token when a user installs your app

If you select Request user authorization (OAuth) during installation in your app settings, {% data variables.product.company_short %} will start the web application flow immediately after a user installs your app.

You can generate a user access token with this method regardless of whether the app is installed on a user account or an organization account. However, if the app was installed on an organization account, you will need to use the web application flow or device flow to generate a user access token for other users in the organization.

1. When a user installs your app, {% data variables.product.company_short %} will redirect the user to {% data variables.product.oauth_host_code %}/login/oauth/authorize?client_id=CLIENT_ID, where CLIENT_ID is the client ID of your app.

2. If the user accepts your authorization request, {% data variables.product.company_short %} will redirect the user to the first callback URL in your app settings, and provide a code query parameter.

   If you want to control which callback URL is used, do not select Request user authorization (OAuth) during installation. Instead, direct users through the full web application flow and specify the redirect_uri parameter.

{% data reusables.apps.web-app-flow-exchange-code %}

{% data reusables.apps.web-app-flow-token-response %}

{% data reusables.apps.user-access-token-example-request %}

Using a refresh token to generate a user access token

By default, user access tokens expires after 8 hours. If you receive a user access token with an expiration, you will also receive a refresh token. The refresh token expire after 6 months. You can use this refresh token to regenerate a user access token. For more information, see "AUTOTITLE."

{% data variables.product.company_short %} strongly encourages you to use user access tokens that expire. If you previously opted out of using user access tokens that expire but want to reenable this feature, see "AUTOTITLE".

Supported endpoints for user access tokens

{% ifversion fpt or ghec %}

Actions Runners

• List runner applications for a repository
• List self-hosted runners for a repository
• Get a self-hosted runner for a repository
• Delete a self-hosted runner from a repository
• Create a registration token for a repository
• Create a remove token for a repository
• List runner applications for an organization
• List self-hosted runners for an organization
• Get a self-hosted runner for an organization
• Delete a self-hosted runner from an organization
• Create a registration token for an organization
• Create a remove token for an organization

Actions Secrets

• Get a repository public key
• List repository secrets
• Get a repository secret
• Create or update a repository secret
• Delete a repository secret
• Get an organization public key
• List organization secrets
• Get an organization secret
• Create or update an organization secret
• List selected repositories for an organization secret
• Set selected repositories for an organization secret
• Add selected repository to an organization secret
• Remove selected repository from an organization secret
• Delete an organization secret {% endif %}

{% ifversion fpt or ghec %}

Artifacts

• List artifacts for a repository
• List workflow run artifacts
• Get an artifact
• Delete an artifact
• Download an artifact {% endif %}

Check Runs

• Create a check run
• Get a check run
• Update a check run
• List check run annotations
• List check runs in a check suite
• List check runs for a Git reference

Check Suites

• Create a check suite
• Get a check suite
• Rerequest a check suite
• Update repository preferences for check suites
• List check suites for a Git reference

Codes Of Conduct

• Get all codes of conduct
• Get a code of conduct

Deployment Statuses

• List deployment statuses
• Create a deployment status
• Get a deployment status

Deployments

• List deployments
• Create a deployment
• Get a deployment
• Delete a deployment

Events

• List public events for a network of repositories
• List public organization events

Feeds

• Get feeds

Git Blobs

• Create a blob
• Get a blob

Git Commits

• Create a commit
• Get a commit

Git Refs

• Create a reference
• Get a reference
• List matching references
• Update a reference
• Delete a reference

Git Tags

• Create a tag object
• Get a tag

Git Trees

• Create a tree
• Get a tree

Gitignore Templates

• Get all gitignore templates
• Get a gitignore template

Installations

• List repositories accessible to the user access token

{% ifversion fpt or ghec %}

Interaction Limits

• Get interaction restrictions for an organization
• Set interaction restrictions for an organization
• Remove interaction restrictions for an organization
• Get interaction restrictions for a repository
• Set interaction restrictions for a repository
• Remove interaction restrictions for a repository {% endif %}

Issue Assignees

• Add assignees to an issue
• Remove assignees from an issue

Issue Comments

• List issue comments
• Create an issue comment
• List issue comments for a repository
• Get an issue comment
• Update an issue comment
• Delete an issue comment

Issue Events

• List issue events

Issue Timeline

• List timeline events for an issue

Issues

• List issues assigned to the authenticated user
• List assignees
• Check if a user can be assigned
• List repository issues
• Create an issue
• Get an issue
• Update an issue
• Lock an issue
• Unlock an issue

{% ifversion fpt or ghec %}

Jobs

• Get a job for a workflow run
• Download job logs for a workflow run
• List jobs for a workflow run {% endif %}

Labels

• List labels for an issue
• Add labels to an issue
• Set labels for an issue
• Remove all labels from an issue
• Remove a label from an issue
• List labels for a repository
• Create a label
• Get a label
• Update a label
• Delete a label
• Get labels for every issue in a milestone

Licenses

• Get all commonly used licenses
• Get a license

Markdown

• Render a Markdown document
• Render a markdown document in raw mode

Meta

• Meta

Milestones

• List milestones
• Create a milestone
• Get a milestone
• Update a milestone
• Delete a milestone

Organization Hooks

• List organization webhooks
• Create an organization webhook
• Get an organization webhook
• Update an organization webhook
• Delete an organization webhook
• Ping an organization webhook

{% ifversion fpt or ghec %}

Organization Invitations

• List pending organization invitations
• Create an organization invitation
• List organization invitation teams {% endif %}

Organization Members

• List organization members
• Check organization membership for a user
• Remove an organization member
• Get organization membership for a user
• Set organization membership for a user
• Remove organization membership for a user
• List public organization members
• Check public organization membership for a user
• Set public organization membership for the authenticated user
• Remove public organization membership for the authenticated user

Organization Outside Collaborators

• List outside collaborators for an organization
• Convert an organization member to outside collaborator
• Remove outside collaborator from an organization

{% ifversion ghes %}

Organization Pre Receive Hooks

• List pre-receive hooks for an organization
• Get a pre-receive hook for an organization
• Update pre-receive hook enforcement for an organization
• Remove pre-receive hook enforcement for an organization {% endif %}

Organization Team Projects

• List team projects
• Check team permissions for a project
• Add or update team project permissions
• Remove a project from a team

Organization Team Repositories

• List team repositories
• Check team permissions for a repository
• Add or update team repository permissions
• Remove a repository from a team

{% ifversion fpt or ghec %}

Organization Team Sync

• List IdP groups for a team
• Create or update IdP group connections
• List IdP groups for an organization {% endif %}

Organization Teams

• List teams
• Create a team
• Get a team by name
• Update a team
• Delete a team {% ifversion fpt or ghec %}
• List pending team invitations {% endif %}
• List team members
• Get team membership for a user
• Add or update team membership for a user
• Remove team membership for a user
• List child teams
• List teams for the authenticated user

Organizations

• List organizations
• Get an organization
• Update an organization
• List organization memberships for the authenticated user
• Get an organization membership for the authenticated user
• Update an organization membership for the authenticated user
• List organizations for the authenticated user
• List organizations for a user

{% ifversion fpt or ghec %}

Organizations Credential Authorizations

• List SAML SSO authorizations for an organization
• Remove a SAML SSO authorization for an organization {% endif %}

{% ifversion fpt or ghec %}

Organizations Scim

• List SCIM provisioned identities
• Provision and invite a SCIM user
• Get SCIM provisioning information for a user
• Set SCIM information for a provisioned user
• Update an attribute for a SCIM user
• Delete a SCIM user from an organization {% endif %}

{% ifversion fpt or ghec %}

Source Imports

• Get an import status
• Start an import
• Update an import
• Cancel an import
• Get commit authors
• Map a commit author
• Get large files
• Update Git LFS preference {% endif %}

Project Collaborators

• List project collaborators
• Add project collaborator
• Remove project collaborator
• Get project permission for a user

Projects

• List organization projects
• Create an organization project
• Get a project
• Update a project
• Delete a project
• List project columns
• Create a project column
• Get a project column
• Update a project column
• Delete a project column
• List project cards
• Create a project card
• Move a project column
• Get a project card
• Update a project card
• Delete a project card
• Move a project card
• List repository projects
• Create a repository project

Pull Comments

• List review comments on a pull request
• Create a review comment for a pull request
• List review comments in a repository
• Get a review comment for a pull request
• Update a review comment for a pull request
• Delete a review comment for a pull request

Pull Request Review Events

• Dismiss a review for a pull request
• Submit a review for a pull request

Pull Request Review Requests

• List requested reviewers for a pull request
• Request reviewers for a pull request
• Remove requested reviewers from a pull request

Pull Request Reviews

• List reviews for a pull request
• Create a review for a pull request
• Get a review for a pull request
• Update a review for a pull request
• List comments for a pull request review

Pulls

• List pull requests
• Create a pull request
• Get a pull request
• Update a pull request
• List commits on a pull request
• List pull requests files
• Check if a pull request has been merged
• Merge a pull request (Merge Button)

Reactions

• Delete a reaction
• List reactions for a commit comment
• Create reaction for a commit comment
• List reactions for an issue
• Create reaction for an issue
• List reactions for an issue comment
• Create reaction for an issue comment
• List reactions for a pull request review comment
• Create reaction for a pull request review comment
• List reactions for a team discussion comment
• Create reaction for a team discussion comment
• List reactions for a team discussion
• Create reaction for a team discussion
• Delete a commit comment reaction
• Delete an issue reaction
• Delete a reaction to a commit comment
• Delete a pull request comment reaction
• Delete team discussion reaction
• Delete team discussion comment reaction

Repositories

• List organization repositories
• Create a repository for the authenticated user
• Get a repository
• Update a repository
• Delete a repository
• Compare two commits
• List repository contributors
• List forks
• Create a fork
• List repository languages
• List repository tags
• List repository teams
• Transfer a repository
• List public repositories
• List repositories for the authenticated user
• List repositories for a user
• Create repository using a repository template

Repository Activity

• List stargazers
• List watchers
• List repositories starred by a user
• Check if a repository is starred by the authenticated user
• Star a repository for the authenticated user
• Unstar a repository for the authenticated user
• List repositories watched by a user

{% ifversion fpt or ghec %}

Repository Automated Security Fixes

• Enable automated security fixes
• Disable automated security fixes {% endif %}

Repository Branches

• List branches
• Get a branch
• Get branch protection
• Update branch protection
• Delete branch protection
• Get admin branch protection
• Set admin branch protection
• Delete admin branch protection
• Get pull request review protection
• Update pull request review protection
• Delete pull request review protection
• Get commit signature protection
• Create commit signature protection
• Delete commit signature protection
• Get status checks protection
• Update status check protection
• Remove status check protection
• Get all status check contexts
• Add status check contexts
• Set status check contexts
• Remove status check contexts
• Get access restrictions
• Delete access restrictions
• List teams with access to the protected branch
• Add team access restrictions
• Set team access restrictions
• Remove team access restriction
• List user restrictions of protected branch
• Add user access restrictions
• Set user access restrictions
• Remove user access restrictions
• Merge a branch

Repository Collaborators

• List repository collaborators
• Check if a user is a repository collaborator
• Add a repository collaborator
• Remove a repository collaborator
• Get repository permissions for a user

Repository Commit Comments

• List commit comments for a repository
• Get a commit comment
• Update a commit comment
• Delete a commit comment
• List commit comments
• Create a commit comment

Repository Commits

• List commits
• Get a commit
• List branches for head commit
• List pull requests associated with commit

Repository Community

• Get the code of conduct for a repository {% ifversion fpt or ghec %}
• Get community profile metrics {% endif %}

Repository Contents

• Download a repository archive
• Get repository content
• Create or update file contents
• Delete a file
• Get a repository README
• Get the license for a repository

Repository Event Dispatches

• Create a repository dispatch event

Repository Hooks

• List repository webhooks
• Create a repository webhook
• Get a repository webhook
• Update a repository webhook
• Delete a repository webhook
• Ping a repository webhook
• Test the push repository webhook

Repository Invitations

• List repository invitations
• Update a repository invitation
• Delete a repository invitation
• List repository invitations for the authenticated user
• Accept a repository invitation
• Decline a repository invitation

Repository Keys

• List deploy keys
• Create a deploy key
• Get a deploy key
• Delete a deploy key

Repository Pages

• Get a GitHub Pages site
• Create a GitHub Pages site
• Update information about a GitHub Pages site
• Delete a GitHub Pages site
• List GitHub Pages builds
• Request a GitHub Pages build
• Get GitHub Pages build
• Get latest pages build

{% ifversion ghes %}

Repository Pre Receive Hooks

• List pre-receive hooks for a repository
• Get a pre-receive hook for a repository
• Update pre-receive hook enforcement for a repository
• Remove pre-receive hook enforcement for a repository {% endif %}

Repository Releases

• List releases
• Create a release
• Get a release
• Update a release
• Delete a release
• List release assets
• Get a release asset
• Update a release asset
• Delete a release asset
• Get the latest release
• Get a release by tag name

Repository Stats

• Get the weekly commit activity
• Get the last year of commit activity
• Get all contributor commit activity
• Get the weekly commit count
• Get the hourly commit count for each day

{% ifversion fpt or ghec %}

Repository Vulnerability Alerts

• Enable vulnerability alerts
• Disable vulnerability alerts {% endif %}

Root

• Root endpoint
• Emojis
• Get rate limit status for the authenticated user

Search

• Search code
• Search commits
• Search labels
• Search repositories
• Search topics
• Search users

Statuses

• Get the combined status for a specific reference
• List commit statuses for a reference
• Create a commit status

Team Discussions

• List discussions
• Create a discussion
• Get a discussion
• Update a discussion
• Delete a discussion
• List discussion comments
• Create a discussion comment
• Get a discussion comment
• Update a discussion comment
• Delete a discussion comment

Topics

• Get all repository topics
• Replace all repository topics

{% ifversion fpt or ghec %}

Traffic

• Get repository clones
• Get top referral paths
• Get top referral sources
• Get page views {% endif %}

{% ifversion fpt or ghec %}

User Blocking

• List users blocked by the authenticated user
• Check if a user is blocked by the authenticated user
• List users blocked by an organization
• Check if a user is blocked by an organization
• Block a user from an organization
• Unblock a user from an organization
• Block a user
• Unblock a user {% endif %}

{% ifversion fpt or ghes or ghec %}

User Emails

{% ifversion fpt or ghec %}

• Set primary email visibility for the authenticated user {% endif %}
• List email addresses for the authenticated user
• Add email address(es)
• Delete email address(es)
• List public email addresses for the authenticated user {% endif %}

User Followers

• List followers of a user
• List the people a user follows
• Check if a person is followed by the authenticated user
• Follow a user
• Unfollow a user
• Check if a user follows another user

User Gpg Keys

• List GPG keys for the authenticated user
• Create a GPG key for the authenticated user
• Get a GPG key for the authenticated user
• Delete a GPG key for the authenticated user
• List gpg keys for a user

User Public Keys

• List public SSH keys for the authenticated user
• Create a public SSH key for the authenticated user
• Get a public SSH key for the authenticated user
• Delete a public SSH key for the authenticated user
• List public keys for a user

Users

• Get the authenticated user
• List app installations accessible to the user access token {% ifversion fpt or ghec %}
• List subscriptions for the authenticated user {% endif %}
• List users
• Get a user

{% ifversion fpt or ghec %}

Workflow Runs

• List workflow runs for a repository
• Get a workflow run
• Cancel a workflow run
• Download workflow run logs
• Delete workflow run logs
• Re run a workflow
• List workflow runs
• Get workflow run usage {% endif %}

{% ifversion fpt or ghec %}

Workflows

• List repository workflows
• Get a workflow
• Get workflow usage {% endif %}