How to authenticate user using GitHub app?

I need user to install GitHub app _and_ I need to recognize user session on my web app – the user/ organization who have installed the app.

Is there an oauth equivalent flow for installing GitHub apps that allows me to securely identify user?

I have created a GitHub app.

I want to authenticate a user of my website using GitHub app.

My understanding is that user first needs to install the app, i.e. I link user to

After user installs the app, user is redirected to the landing page of my application with installation_id GET query parameter.

I use this installation_id and getInstallationAccessToken to create a token for installation.

My understanding is that now I need to use OAuth to authenticate the user. Therefore, I redirect user to Because user has already installed my app, user is instantly redirected back to my webpage with code GET query parameter.

Now I use code parameter to exchange it for access_code by making a POST request to, i.e.


accept: application/vnd.github.machine-man-preview+json
user-agent: octokit-request.js/2.4.2 Node.js/11.3.0 (macOS Mojave; x64)
authorization: token v1.796495[redacted]193c6f
content-type: application/json; charset=utf-8
Content-Length: 125
Accept-Encoding: gzip,deflate
Connection: close

"client_id": "Iv1.239e8[redacted]2c07",
"client_secret": "c35f82e8ed[redacted]e248ba6969",
"code": "60ee71[redacted]b40f7d"

My problem is that the latter always comes back with HTTP status code 406 response (no response body).

My question:

* How to authenticate user for GitHub app?
* How to know if user already has installed app/ redirect user back to landing page if user has installed the app (cannot link to, because that just gives configuration page).

1 Like

In case anyone else runs into this, the problem was that I included authorization header. The moment you include the authorization header, currently, the API starts returning 406 response.

The first time they click the link, they get redirected back with the installation_id. But how does it work the second and third time?

Edit: I believe the answer to my own question is:

GET /user/installations?access_token=...

Has anyone contacted support about this?
Why do they have a warning and a “preview” header requirement above the “/login/oauth/access_token” endpoint?