A long-lived access token for github app (not oauth) #24473
-
Hi Githubbers, Currently, I can use the installation id to obtain the access token, which, in turn, allows me the access the content of a repo. However, the access token only lives for 1 hour. How should I handle the case where I want to read the content of a repo later in time, maybe days later? Thank you, Tanin |
Beta Was this translation helpful? Give feedback.
Replies: 5 comments 2 replies
-
@tanin47 You should be able to achieve what you are describing with the existing API. You can generate new installation tokens whenever you want, so in your code, maybe generate a new installation token every time you execute your script/job? |
Beta Was this translation helpful? Give feedback.
-
@abinoda Just to clarify. Do you mean storing the installation id to use at a later time? |
Beta Was this translation helpful? Give feedback.
-
You are right. We can save the installation id. It seems a formal way is explained here: https://developer.github.com/apps/building-github-apps/identifying-and-authorizing-users-for-github-apps/ Basically, we ask user to login and obtain the OAuth access token. We, then, get all the installation ids that the user can access through /user/installations?access_token=…. Then, we can obtain Github app access token from these installation ids. |
Beta Was this translation helpful? Give feedback.
-
The problem I have with this approach is, what information needs to be seeded into a containerised deployment. Ideally I'd simply inject the access token, and use that, but the approach suggests I should be inserting the PEM, which is kind of the crown jewels. It also means any daemon application, which might not be specifically designed to talk to github, needs to understand the need to generate a token each/every time it does something. Realistically this means having a sidebar cron job, constantly rejenerating the access token, to keep it current. It all seems overkill. A 24 hour token lifetime, would seem far more sensible. We're seriously considering not using an app, in favour of a svc user, because a personal access token can have the longer expiry, but that seems wrong. |
Beta Was this translation helpful? Give feedback.
@tanin47 You should be able to achieve what you are describing with the existing API. You can generate new installation tokens whenever you want, so in your code, maybe generate a new installation token every time you execute your script/job?