How to access API endpoints using an app installation token? #24502
-
Hi, I’m developing a GitHub app in which I need to create repositories on the installed user’s Github. I have been following the official docs Authenticating with GitHub Apps but it doesn’t seem to work. I have successfully obtained the installation access token, but when calling the Create a repository for the authenticated user API using the installation access token, I get the 403 error with the following message,
For reference, my app has following permissions,
I’m not able to figure out what I’m doing wrong or how else to proceed. |
Beta Was this translation helpful? Give feedback.
Replies: 7 comments
-
👋 hello there @satwikkansal, and welcome to the GitHub Support Community!
satwikkansal:
As a next step for troubleshooting this further, could you please send us the full request-response pair of a Please make sure you mask any sensitive information like OAuth tokens and Authorization headers in the output of the curl command. |
Beta Was this translation helpful? Give feedback.
-
Hi @francisfuzz Here’s the curl
|
Beta Was this translation helpful? Give feedback.
-
@satwikkansal thanks for sharing that example Here are some ways to determine which endpoints are enabled for GitHub Apps The first way is to look at the endpoint’s documentation’s The second way is to consult the The third way is to consult octokit/routes/blob/da86230b26f5f53809d837d44888479779be0661/openapi/api.github.com/operations/repos/create-for-authenticated-user.json#L269
Hope this helps! 🙇♂️ |
Beta Was this translation helpful? Give feedback.
-
@francisfuzz thank you! I get it now. Is there any other way a third party can create a repository in the user’s account? I tried looking into the docs, but it seems like this can only be done with the help of personal access tokens. But that seems unlikely, I’m probably missing something but not sure what. |
Beta Was this translation helpful? Give feedback.
-
satwikkansal:
@satwikkansal One approach is creating an OAuth app that requests either the Once that person authorizes your OAuth app through the web application flow with either scope, then you can use the access token to access the API on their behalf (like creating a repository on their account). Hope this helps! |
Beta Was this translation helpful? Give feedback.
-
@francisfuzz thanks again :slight_smile: That mostly answers my question. I have just one last question, will be able to list an oauth app just like Github app on the marketplace, or is there any caveat I should be aware of? |
Beta Was this translation helpful? Give feedback.
-
satwikkansal:
Yes! It’s possible to draft a listing for either an OAuth app or a GitHub App depending on what you’d like to add to the GitHub Marketplace. |
Beta Was this translation helpful? Give feedback.
@satwikkansal One approach is creating an OAuth app that requests either the
public_repo
scope (ability to create only public repositories) or therepo
scope (ability to create either public or private repositories).Once that person authorizes your OAuth app through the web application flow with either scope, then you can use the access token to access the API on their behalf (like creating a repository on their account). Hope this helps!