docs/content/developers/apps/identifying-and-authorizing-users-for-github-apps.md

title, intro, redirect_from, versions

title	intro	redirect_from	versions
Identifying and authorizing users for GitHub Apps	{% data reusables.shortdesc.identifying_and_authorizing_github_apps %}	/early-access/integrations/user-identification-authorization/ /apps/building-integrations/setting-up-and-registering-github-apps/identifying-users-for-github-apps/ /apps/building-github-apps/identifying-and-authorizing-users-for-github-apps	free-pro-team enterprise-server * *

{% data reusables.pre-release-program.expiring-user-access-tokens-beta %}

When your GitHub App acts on behalf of a user, it performs user-to-server requests. These requests must be authorized with a user's access token. User-to-server requests include requesting data for a user, like determining which repositories to display to a particular user. These requests also include actions triggered by a user, like running a build.

{% data reusables.apps.expiring_user_authorization_tokens %}

Identifying users on your site

To authorize users for standard apps that run in the browser, use the web application flow.

{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %} To authorize users for headless apps without direct access to the browser, such as CLI tools or Git credential managers, use the device flow. The device flow uses the OAuth 2.0 Device Authorization Grant. {% endif %}

Web application flow

Using the web application flow, the process to identify users on your site is:

1. Users are redirected to request their GitHub identity
2. Users are redirected back to your site by GitHub
3. Your GitHub App accesses the API with the user's access token

If you select Request user authorization (OAuth) during installation when creating or modifying your app, step 1 will be completed during app installation. For more information, see "Authorizing users during installation."

1. Request a user's GitHub identity

GET {% data variables.product.oauth_host_code %}/login/oauth/authorize

When your GitHub App specifies a login parameter, it prompts users with a specific account they can use for signing in and authorizing your app.

Parameters

Name	Type	Description
client_id	string	Required. The client ID for your GitHub App. You can find this in your GitHub App settings when you select your app.
redirect_uri	string	The URL in your application where users will be sent after authorization. This must be an exact match to the URL you provided in the User authorization callback URL field when setting up your GitHub App and can't contain any additional parameters.
state	string	This should contain a random string to protect against forgery attacks and could contain any other arbitrary data.
login	string	Suggests a specific account to use for signing in and authorizing the app.

{% note %}

Note: You don't need to provide scopes in your authorization request. Unlike traditional OAuth, the authorization token is limited to the permissions associated with your GitHub App and those of the user.

{% endnote %}

2. Users are redirected back to your site by GitHub

If the user accepts your request, GitHub redirects back to your site with a temporary code in a code parameter as well as the state you provided in the previous step in a state parameter. If the states don't match, the request was created by a third party and the process should be aborted.

{% note %}

Note: If you select Request user authorization (OAuth) during installation when creating or modifying your app, GitHub returns a temporary code that you will need to exchange for an access token. The state parameter is not returned when GitHub initiates the OAuth flow during app installation.

{% endnote %}

Exchange this code for an access token. {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %} When expiring tokens are enabled, the access token expires in 8 hours and the refresh token expires in 6 months. Every time you refresh the token, you get a new refresh token. For more information, see "Refreshing user-to-server access tokens."

Expiring user tokens are currently part of the user-to-server token expiration beta and subject to change. To opt-in to the user-to-server token expiration beta feature, see "Activating beta features for apps."{% endif %}

POST {% data variables.product.oauth_host_code %}/login/oauth/access_token

Parameters

Name	Type	Description
client_id	string	Required. The client ID for your GitHub App.
client_secret	string	Required. The client secret for your GitHub App.
code	string	Required. The code you received as a response to Step 1.
redirect_uri	string	The URL in your application where users are sent after authorization.
state	string	The unguessable random string you provided in Step 1.

Response

{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}

By default, the response takes the following form. The response parameters expires_in, refresh_token, and refresh_token_expires_in are only returned when you enable the beta for expiring user-to-server access tokens.

{
  "access_token": "e72e16c7e42f292c6912e7710c838347ae178b4a",
  "expires_in": "28800",
  "refresh_token": "r1.c1b4a2e77838347a7e420ce178f2e7c6912e1692",
  "refresh_token_expires_in": "15811200",
  "scope": "",
  "token_type": "bearer"
}

{% else %}

By default, the response takes the following form:

access_token=e72e16c7e42f292c6912e7710c838347ae178b4a&token_type=bearer

{% endif %}

3. Your GitHub App accesses the API with the user's access token

The user's access token allows the GitHub App to make requests to the API on behalf of a user.

Authorization: token OAUTH-TOKEN
GET {% data variables.product.api_url_code %}/user

For example, in curl you can set the Authorization header like this:

curl -H "Authorization: token OAUTH-TOKEN" {% data variables.product.api_url_pre %}/user

{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}

Device flow

{% note %}

Note: The device flow is in public beta and subject to change.{% if currentVersion == "free-pro-team@latest" %} To enable this beta feature, see "Activating beta features for apps."{% endif %}

{% endnote %}

The device flow allows you to authorize users for a headless app, such as a CLI tool or Git credential manager.

For more information about authorizing users using the device flow, see "Authorizing OAuth Apps".

{% endif %}

Check which installation's resources a user can access

{% if currentVersion != "free-pro-team@latest" and currentVersion ver_lt "enterprise-server@2.22" %} {% data reusables.pre-release-program.machine-man-preview %} {% data reusables.pre-release-program.api-preview-warning %} {% endif %}

Once you have an OAuth token for a user, you can check which installations that user can access.

Authorization: token OAUTH-TOKEN
GET /user/installations

You can also check which repositories are accessible to a user for an installation.

Authorization: token OAUTH-TOKEN
GET /user/installations/:installation_id/repositories

More details can be found in: List app installations accessible to the user access token and List repositories accessible to the user access token.

Handling a revoked GitHub App authorization

If a user revokes their authorization of a GitHub App, the app will receive the github_app_authorization webhook by default. GitHub Apps cannot unsubscribe from this event. {% data reusables.webhooks.authorization_event %}

User-level permissions

You can add user-level permissions to your GitHub App to access user resources, such as user emails, that are granted by individual users as part of the user authorization flow. User-level permissions differ from repository and organization-level permissions, which are granted at the time of installation on an organization or user account.

You can select user-level permissions from within your GitHub App's settings in the User permissions section of the Permissions & webhooks page. For more information on selecting permissions, see "Editing a GitHub App's permissions."

When a user installs your app on their account, the installation prompt will list the user-level permissions your app is requesting and explain that the app can ask individual users for these permissions.

Because user-level permissions are granted on an individual user basis, you can add them to your existing app without prompting users to upgrade. You will, however, need to send existing users through the user authorization flow to authorize the new permission and get a new user-to-server token for these requests.

User-to-server requests

While most of your API interaction should occur using your server-to-server installation access tokens, certain endpoints allow you to perform actions via the API using a user access token. Your app can make the following requests using GraphQL v4 or REST v3 endpoints.

Supported endpoints

{% if currentVersion == "free-pro-team@latest" %}

Actions Runners

• List runner applications for a repository
• List self-hosted runners for a repository
• Get a self-hosted runner for a repository
• Delete a self-hosted runner from a repository
• Create a registration token for a repository
• Create a remove token for a repository
• List runner applications for an organization
• List self-hosted runners for an organization
• Get a self-hosted runner for an organization
• Delete a self-hosted runner from an organization
• Create a registration token for an organization
• Create a remove token for an organization

Actions Secrets

• Get a repository public key
• List repository secrets
• Get a repository secret
• Create or update a repository secret
• Delete a repository secret
• Get an organization public key
• List organization secrets
• Get an organization secret
• Create or update an organization secret
• List selected repositories for an organization secret
• Set selected repositories for an organization secret
• Add selected repository to an organization secret
• Remove selected repository from an organization secret
• Delete an organization secret {% endif %}

{% if currentVersion == "free-pro-team@latest" %}

Artifacts

• List artifacts for a repository
• List workflow run artifacts
• Get an artifact
• Delete an artifact
• Download an artifact {% endif %}

Check Runs

• Create a check run
• Get a check run
• Update a check run
• List check run annotations
• List check runs in a check suite
• List check runs for a Git reference

Check Suites

• Create a check suite
• Get a check suite
• Rerequest a check suite
• Update repository preferences for check suites
• List check suites for a Git reference

Codes Of Conduct

• Get all codes of conduct
• Get a code of conduct

Deployment Statuses

• List deployment statuses
• Create a deployment status
• Get a deployment status

Deployments

• List deployments
• Create a deployment
• Get a deployment{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.20" %}
• Delete a deployment{% endif %}

Events

• List public events for a network of repositories
• List public organization events

Feeds

• Get feeds

Git Blobs

• Create a blob
• Get a blob

Git Commits

• Create a commit
• Get a commit

Git Refs

• Create a reference* Get a reference
• List matching references
• Update a reference
• Delete a reference

Git Tags

• Create a tag object
• Get a tag

Git Trees

• Create a tree
• Get a tree

Gitignore Templates

• Get all gitignore templates
• Get a gitignore template

Installations

• List repositories accessible to the user access token

{% if currentVersion == "free-pro-team@latest" %}

Interaction Limits

• Get interaction restrictions for an organization
• Set interaction restrictions for an organization
• Remove interaction restrictions for an organization
• Get interaction restrictions for a repository
• Set interaction restrictions for a repository
• Remove interaction restrictions for a repository {% endif %}

Issue Assignees

• Add assignees to an issue
• Remove assignees from an issue

Issue Comments

• List issue comments
• Create an issue comment
• List issue comments for a repository
• Get an issue comment
• Update an issue comment
• Delete an issue comment

Issue Events

• List issue events

Issue Timeline

• List timeline events for an issue

Issues

• List issues assigned to the authenticated user
• List assignees
• Check if a user can be assigned
• List repository issues
• Create an issue
• Get an issue
• Update an issue
• Lock an issue
• Unlock an issue

{% if currentVersion == "free-pro-team@latest" %}

Jobs

• Get a job for a workflow run
• Download job logs for a workflow run
• List jobs for a workflow run {% endif %}

Labels

• List labels for an issue
• Add labels to an issue
• Set labels for an issue
• Remove all labels from an issue
• Remove a label from an issue
• List labels for a repository
• Create a label
• Get a label
• Update a label
• Delete a label
• Get labels for every issue in a milestone

Licenses

• Get all commonly used licenses
• Get a license

Markdown

• Render a Markdown document
• Render a markdown document in raw mode

Meta

• Meta

Milestones

• List milestones
• Create a milestone
• Get a milestone
• Update a milestone
• Delete a milestone

Organization Hooks

• List organization webhooks
• Create an organization webhook
• Get an organization webhook
• Update an organization webhook
• Delete an organization webhook
• Ping an organization webhook

{% if currentVersion == "free-pro-team@latest" %}

Organization Invitations

• List pending organization invitations
• Create an organization invitation
• List organization invitation teams {% endif %}

Organization Members

• List organization members
• Check organization membership for a user
• Remove an organization member
• Get organization membership for a user
• Set organization membership for a user
• Remove organization membership for a user
• List public organization members
• Check public organization membership for a user
• Set public organization membership for the authenticated user
• Remove public organization membership for the authenticated user

Organization Outside Collaborators

• List outside collaborators for an organization
• Convert an organization member to outside collaborator
• Remove outside collaborator from an organization

{% if currentVersion != "free-pro-team@latest" %}

Organization Pre Receive Hooks

• List pre-receive hooks for an organization
• Get a pre-receive hook for an organization
• Update pre-receive hook enforcement for an organization
• Remove pre-receive hook enforcement for an organization {% endif %}

{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.20" %}

Organization Team Projects

• List team projects
• Check team permissions for a project
• Add or update team project permissions
• Remove a project from a team {% endif %}

Organization Team Repositories

• List team repositories
• Check team permissions for a repository
• Add or update team repository permissions
• Remove a repository from a team

{% if currentVersion == "free-pro-team@latest" %}

Organization Team Sync

• List idp groups for a team
• Create or update idp group connections
• List IdP groups for an organization {% endif %}

Organization Teams

• List teams
• Create a team
• Get a team by name {% if currentVersion != "free-pro-team@latest" and currentVersion ver_lt "enterprise-server@2.21" %}
• Get a team {% endif %}
• Update a team
• Delete a team {% if currentVersion == "free-pro-team@latest" %}
• List pending team invitations {% endif %}
• List team members
• Get team membership for a user
• Add or update team membership for a user
• Remove team membership for a user
• List child teams
• List teams for the authenticated user

Organizations

• List organizations
• Get an organization
• Update an organization
• List organization memberships for the authenticated user
• Get an organization membership for the authenticated user
• Update an organization membership for the authenticated user
• List organizations for the authenticated user
• List organizations for a user

{% if currentVersion == "free-pro-team@latest" %}

Organizations Credential Authorizations

• List SAML SSO authorizations for an organization
• Remove a SAML SSO authorization for an organization {% endif %}

{% if currentVersion == "free-pro-team@latest" %}

Organizations Scim

• List SCIM provisioned identities
• Provision and invite a SCIM user
• Get SCIM provisioning information for a user
• Set SCIM information for a provisioned user
• Update an attribute for a SCIM user
• Delete a SCIM user from an organization {% endif %}

{% if currentVersion == "free-pro-team@latest" %}

Source Imports

• Get an import status
• Start an import
• Update an import
• Cancel an import
• Get commit authors
• Map a commit author
• Get large files
• Update Git LFS preference {% endif %}

Project Collaborators

• List project collaborators
• Add project collaborator
• Remove project collaborator
• Get project permission for a user

Projects

• List organization projects
• Create an organization project
• Get a project
• Update a project
• Delete a project
• List project columns
• Create a project column
• Get a project column
• Update a project column
• Delete a project column
• List project cards
• Create a project card
• Move a project column
• Get a project card
• Update a project card
• Delete a project card
• Move a project card
• List repository projects
• Create a repository project

Pull Comments

• List review comments on a pull request
• Create a review comment for a pull request
• List review comments in a repository
• Get a review comment for a pull request
• Update a review comment for a pull request
• Delete a review comment for a pull request

Pull Request Review Events

• Dismiss a review for a pull request
• Submit a review for a pull request

Pull Request Review Requests

• List requested reviewers for a pull request
• Request reviewers for a pull request
• Remove requested reviewers from a pull request

Pull Request Reviews

• List reviews for a pull request
• Create a review for a pull request
• Get a review for a pull request
• Update a review for a pull request
• List comments for a pull request review

Pulls

• List pull requests
• Create a pull request
• Get a pull request
• Update a pull request
• List commits on a pull request
• List pull requests files
• Check if a pull request has been merged
• Merge a pull request (Merge Button)

Reactions

{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.20" %}* Delete a reaction{% else %}* Delete a reaction{% endif %}

• List reactions for a commit comment
• Create reaction for a commit comment
• List reactions for an issue
• Create reaction for an issue
• List reactions for an issue comment
• Create reaction for an issue comment
• List reactions for a pull request review comment
• Create reaction for a pull request review comment
• List reactions for a team discussion comment
• Create reaction for a team discussion comment
• List reactions for a team discussion
• Create reaction for a team discussion{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.20" %}
• Delete a commit comment reaction
• Delete an issue reaction
• Delete a reaction to a commit comment
• Delete a pull request comment reaction
• Delete team discussion reaction
• Delete team discussion comment reaction{% endif %}

Repositories

• List organization repositories
• Create a repository for the authenticated user
• Get a repository
• Update a repository
• Delete a repository
• Compare two commits
• List repository contributors
• List forks
• Create a fork
• List repository languages
• List repository tags
• List repository teams
• Transfer a repository
• List public repositories
• List repositories for the authenticated user
• List repositories for a user
• Create repository using a repository template

Repository Activity

• List stargazers
• List watchers
• List repositories starred by a user
• Check if a repository is starred by the authenticated user
• Star a repository for the authenticated user
• Unstar a repository for the authenticated user
• List repositories watched by a user

{% if currentVersion == "free-pro-team@latest" %}

Repository Automated Security Fixes

• Enable automated security fixes
• Disable automated security fixes {% endif %}

Repository Branches

• List branches
• Get a branch
• Get branch protection
• Update branch protection
• Delete branch protection
• Get admin branch protection
• Set admin branch protection
• Delete admin branch protection
• Get pull request review protection
• Update pull request review protection
• Delete pull request review protection
• Get commit signature protection
• Create commit signature protection
• Delete commit signature protection
• Get status checks protection
• Update status check potection
• Remove status check protection
• Get all status check contexts
• Add status check contexts
• Set status check contexts
• Remove status check contexts
• Get access restrictions
• Delete access restrictions
• List teams with access to the protected branch
• Add team access restrictions
• Set team access restrictions
• Remove team access restriction
• List user restrictions of protected branch
• Add user access restrictions
• Set user access restrictions
• Remove user access restrictions
• Merge a branch

Repository Collaborators

• List repository collaborators
• Check if a user is a repository collaborator
• Add a repository collaborator
• Remove a repository collaborator
• Get repository permissions for a user

Repository Commit Comments

• List commit comments for a repository
• Get a commit comment
• Update a commit comment
• Delete a commit comment
• List commit comments
• Create a commit comment

Repository Commits

• List commits
• Get a commit
• List branches for head commit
• List pull requests associated with commit

Repository Community

• Get the code of conduct for a repository {% if currentVersion == "free-pro-team@latest" %}
• Get community profile metrics {% endif %}

Repository Contents

• Download a repository archive
• Get repository content
• Create or update file contents
• Delete a file
• Get a repository README
• Get the license for a repository

{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.20" %}

Repository Event Dispatches

• Create a repository dispatch event {% endif %}

Repository Hooks

• List repository webhooks
• Create a repository webhook
• Get a repository webhook
• Update a repository webhook
• Delete a repository webhook
• Ping a repository webhook
• Test the push repository webhook

Repository Invitations

• List repository invitations
• Update a repository invitation
• Delete a repository invitation
• List repository invitations for the authenticated user
• Accept a repository invitation
• Decline a repository invitation

Repository Keys

• List deploy keys
• Create a deploy key
• Get a deploy key
• Delete a deploy key

Repository Pages

• Get a GitHub Pages site
• Create a GitHub Pages site
• Update information about a GitHub Pages site
• Delete a GitHub Pages site
• List GitHub Pages builds
• Request a GitHub Pages build
• Get GitHub Pages build
• Get latest pages build

{% if currentVersion != "free-pro-team@latest" %}

Repository Pre Receive Hooks

• List pre-receive hooks for a repository
• Get a pre-receive hook for a repository
• Update pre-receive hook enforcement for a repository
• Remove pre-receive hook enforcement for a repository {% endif %}

Repository Releases

• List releases
• Create a release
• Get a release
• Update a release
• Delete a release
• List release assets
• Get a release asset
• Update a release asset
• Delete a release asset
• Get the latest release
• Get a release by tag name

Repository Stats

• Get the weekly commit activity
• Get the last year of commit activity
• Get all contributor commit activity
• Get the weekly commit count
• Get the hourly commit count for each day

{% if currentVersion == "free-pro-team@latest" %}

Repository Vulnerability Alerts

• Enable vulnerability alerts
• Disable vulnerability alerts {% endif %}

Root

• Root endpoint
• Emojis
• Get rate limit status for the authenticated user

Search

• Search code
• Search commits
• Search labels
• Search repositories
• Search topics
• Search users

Statuses

• Get the combined status for a specific reference
• List commit statuses for a reference
• Create a commit status

Team Discussions

• List discussions
• Create a discussion
• Get a discussion
• Update a discussion
• Delete a discussion
• List discussion comments
• Create a discussion comment
• Get a discussion comment
• Update a discussion comment
• Delete a discussion comment

Topics

• Get all repository topics
• Replace all repository topics

{% if currentVersion == "free-pro-team@latest" %}

Traffic

• Get repository clones
• Get top referral paths
• Get top referral sources
• Get page views {% endif %}

{% if currentVersion == "free-pro-team@latest" %}

User Blocking

• List users blocked by the authenticated user
• Check if a user is blocked by the authenticated user
• List users blocked by an organization
• Check if a user is blocked by an organization
• Block a user from an organization
• Unblock a user from an organization
• Block a user
• Unblock a user {% endif %}

User Emails

{% if currentVersion == "free-pro-team@latest" %}

• Set primary email visibility for the authenticated user {% endif %}
• List email addresses for the authenticated user
• Add email address(es)
• Delete email address(es)
• List public email addresses for the authenticated user

User Followers

• List followers of a user
• List the people a user follows
• Check if a person is followed by the authenticated user
• Follow a user
• Unfollow a user
• Check if a user follows another user

User Gpg Keys

• List GPG keys for the authenticated user
• Create a GPG key for the authenticated user
• Get a GPG key for the authenticated user
• Delete a GPG key for the authenticated user
• List gpg keys for a user

User Public Keys

• List public SSH keys for the authenticated user
• Create a public SSH key for the authenticated user
• Get a public SSH key for the authenticated user
• Delete a public SSH key for the authenticated user
• List public keys for a user

Users

• Get the authenticated user
• List app installations accessible to the user access token {% if currentVersion == "free-pro-team@latest" %}
• List subscriptions for the authenticated user {% endif %}
• List users
• Get a user

{% if currentVersion == "free-pro-team@latest" %}

Workflow Runs

• List workflow runs for a repository
• Get a workflow run
• Cancel a workflow run
• Download workflow run logs
• Delete workflow run logs
• Re run a workflow
• List workflow runs
• Get workflow run usage {% endif %}

{% if currentVersion == "free-pro-team@latest" %}

Workflows

• List repository workflows
• Get a workflow
• Get workflow usage {% endif %}