| title | shortTitle | intro | versions | topics | |||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
Authenticating as a GitHub App installation |
Authenticate as an installation |
You can make your {% data variables.product.prodname_github_app %} authenticate as an installation in order to make API requests that affect resources owned by the account where the app is installed. |
|
|
Once your {% data variables.product.prodname_github_app %} is installed on an account, you can make it authenticate as an app installation for API requests. This allows the app to access resources owned by that installation, as long as the app was granted the necessary repository access and permissions. API requests made by an app installation are attributed to the app. For more information about installing GitHub Apps, see Installing GitHub Apps.
For example, if you want your app to change the Status field of an issue on a project owned by an organization called "octo-org," then you would authenticate as the octo-org installation of your app. The timeline of the issue would state that your app updated the status.
To make an API request as an installation, you must first generate an installation access token. Then, you will send the installation access token in the Authorization header of your subsequent API requests. You can also use {% data variables.product.company_short %}'s Octokit SDKs, which can generate an installation access token for you.
Some REST API endpoints do not accept installation access tokens, and most REST API endpoints require your app to have certain permissions to use an endpoint. To see whether a REST API endpoint accepts installation access tokens and to see what permissions are required, refer to the documentation for the endpoint.
App installations can also use the GraphQL API. Similar to the REST API, the app must have certain permissions to access objects in the GraphQL API. For GraphQL requests, you should test that your app has the required permissions for the GraphQL queries and mutations that you want to make.
You can also use an installation access token to authenticate for HTTP-based Git access. Your app must have the "Contents" repository permission. You can then use the installation access token as the HTTP password. Replace TOKEN with the installation access token: git clone https://x-access-token:[email protected]/owner/repo.git.
Requests made with an installation access token are sometimes called "server-to-server" requests.
For more information about authenticating as an app on behalf of a user instead of as an app installation, see AUTOTITLE.
To authenticate as an installation with an installation access token, first use the REST API to generate an installation access token. Then, use that installation access token in the Authorization header of a REST API or GraphQL API request. The installation access token will expire after 1 hour.
{% data reusables.apps.generate-installation-access-token %}
To authenticate with an installation access token, include it in the Authorization header of an API request. The access token will work with both the GraphQL API and the REST API.
Your app must have the required permissions to use the endpoint. For more information, see AUTOTITLE.
In the following example, replace INSTALLATION_ACCESS_TOKEN with an installation access token:
curl --request GET \
--url "{% data variables.product.rest_url %}/meta" \
--header "Accept: application/vnd.github+json" \
--header "Authorization: Bearer INSTALLATION_ACCESS_TOKEN" \
--header "X-GitHub-Api-Version: {{ allVersions[currentVersion].latestApiVersion }}"You can use {% data variables.product.company_short %}'s Octokit.js SDK to authenticate as an app installation. One advantage of using the SDK to authenticate is that you do not need to generate a JSON web token (JWT) yourself. Additionally, the SDK will take care of regenerating an installation access token for you so you don't need to worry about the one hour expiration.
Note
You must install and import octokit in order to use the Octokit.js library. The following example uses import statements in accordance with ES6. For more information about different installation and import methods, see the Octokit.js README's Usage section.
-
Get the ID of your {% data variables.product.prodname_github_app %}. You can find your app's ID on the settings page for your {% data variables.product.prodname_github_app %}. For more information about navigating to the settings page for your {% data variables.product.prodname_github_app %}, see AUTOTITLE.
-
Generate a private key. For more information, see AUTOTITLE.
-
Get the ID of the installation that you want to authenticate as.
If you are responding to a webhook event, the webhook payload will include the installation ID.
You can also use the REST API to find the ID for an installation of your app. For example, you can get an installation ID with the
GET /users/{username}/installation,GET /repos/{owner}/{repo}/installation,GET /orgs/{org}/installation, orGET /app/installationsendpoints. For more information, see AUTOTITLE. -
Import
Appfromoctokit. Create a new instance ofApp. In the following example, replaceAPP_IDwith a reference to your app's ID. ReplacePRIVATE_KEYwith a reference to your app's private key.import { App } from "octokit"; const app = new App({ appId: APP_ID, privateKey: PRIVATE_KEY, });
-
Use the
getInstallationOctokitmethod to create an authenticatedoctokitinstance. In the following example, replaceINSTALLATION_IDwith the ID of the installation of your app that you want to authenticate on behalf of.const octokit = await app.getInstallationOctokit(INSTALLATION_ID);
-
Use an
octokitmethod to make a request to the API.Your app must have the required permissions to use the endpoint. For more information, see AUTOTITLE.
For example, to make a request to the GraphQL API:
await octokit.graphql(` query { viewer { login } } `)
For example, to make a request to the REST API:
await octokit.request("GET /meta")
The Octokit.js SDK also passes a pre-authenticated octokit instance to webhook event handlers.
-
Get the ID of your {% data variables.product.prodname_github_app %}. You can find your app's ID on the settings page for your {% data variables.product.prodname_github_app %}. For more information about navigating to the settings page for your {% data variables.product.prodname_github_app %}, see AUTOTITLE.
-
Generate a private key. For more information, see AUTOTITLE.
-
Get the webhook secret that you specified in your app's settings. For more information about webhook secrets, see AUTOTITLE.
-
Import
Appfromoctokit. Create a new instance ofApp. In the following example, replaceAPP_IDwith a reference to your app's ID. ReplacePRIVATE_KEYwith a reference to your app's private key. ReplaceWEBHOOK_SECRETwith the your app's webhook secret.import { App } from "octokit"; const app = new App({ appId: APP_ID, privateKey: PRIVATE_KEY, webhooks: { WEBHOOK_SECRET }, });
-
Use an
app.webhooks.*method to handle webhook events. For more information, see the Octokit.js README's Webhooks section. For example, to create a comment on an issue when the issue is opened:app.webhooks.on("issues.opened", ({ octokit, payload }) => { await octokit.request("POST /repos/{owner}/{repo}/issues/{issue_number}/comments", { owner: payload.repository.owner.login, repo: payload.repository.name, issue_number: payload.issue.number, body: `This is a bot post in response to this issue being opened.`, headers: { "x-github-api-version": "{{ allVersions[currentVersion].latestApiVersion }}", }, } ) });