How to access API endpoints using an app installation token?

Hi, I’m developing a GitHub app in which I need to create repositories on the installed user’s Github. I have been following the official docs Authenticating with GitHub Apps but it doesn’t seem to work.

I have successfully obtained the installation access token, but when calling the Create a repository for the authenticated user API using the installation access token, I get the 403 error with the following message,

{'message': 'Resource not accessible by integration', 'documentation_url': 'https://developer.github.com/v3/repos/#create'}

For reference, my app has following permissions,

{'token': 'SOME_INSTALLATION_TOKEN', 'expires_at': '2020-07-13T12:38:17Z', 'permissions': {'administration': 'write', 'contents': 'write', 'metadata': 'read', 'pages': 'write'}, 'repository_selection': 'all'}

I’m not able to figure out what I’m doing wrong or how else to proceed.

:wave: hello there @satwikkansal, and welcome to the GitHub Support Community!

As a next step for troubleshooting this further, could you please send us the full request-response pair of a curl -v request that demonstrates what you’re seeing? That should help us investigate further.

Please make sure you mask any sensitive information like OAuth tokens and Authorization headers in the output of the curl command.

Hi @francisfuzz

Here’s the curl

curl --location --request POST 'https://api.github.com/user/repos' \
--header 'accept: application/vnd.github.machine-man-preview+json' \
--header 'authorization: token INSTALLATION_ACCESS_TOKEN_HERE' \
--header 'Content-Type: application/json' \
--data-raw '{
        "name": "test_repo",
        "description": "This is your first repository",
        "homepage": "https://github.com",
        "private": false,
        "has_issues": true,
        "has_projects": true,
        "has_wiki": true
    }'

@satwikkansal thanks for sharing that example curl request. The endpoint for creating a repository for the authenticated user is not enabled for GitHub Apps.

Here are some ways to determine which endpoints are enabled for GitHub Apps

The first way is to look at the endpoint’s documentation’s Notes section. For example, the endpoint for listing public repositories for a specified user is one such endpoint.

The second way is to consult the Permissions required for GitHub Apps article. A permission is associated with a collection of endpoints. If an endpoint you’re looking for isn’t listed in any of those permissions, then it’s not enabled for GitHub Apps.

The third way is to consult octokit/routes, a project that contains a machine-readable, always up-to-date GitHub REST API route specifications. Any usage or troubleshooting questions are best fielded in a form of a new issue in that repository. In relation to the endpoint you’re using, this library leverages the OpenAPI Specification and encapsulates each endpoint into its own JSON file. For example, the endpoint for creating a repository for the authenticated user is defined and also includes an x-github field specifying some helpful metadata. In particular, the enabledForApps field’s value is false, indicating that it’s not an endpoint a GitHub App can access:

Hope this helps! :bowing_man:

@francisfuzz thank you! I get it now.

Is there any other way a third party can create a repository in the user’s account?

I tried looking into the docs, but it seems like this can only be done with the help of personal access tokens. But that seems unlikely, I’m probably missing something but not sure what.

@satwikkansal One approach is creating an OAuth app that requests either the public_repo scope (ability to create only public repositories) or the repo scope (ability to create either public or private repositories).

Once that person authorizes your OAuth app through the web application flow with either scope, then you can use the access token to access the API on their behalf (like creating a repository on their account). Hope this helps!

1 Like

@francisfuzz thanks again :slight_smile: That mostly answers my question.

I have just one last question, will be able to list an oauth app just like Github app on the marketplace, or is there any caveat I should be aware of?

Yes! It’s possible to draft a listing for either an OAuth app or a GitHub App depending on what you’d like to add to the GitHub Marketplace.