"Semi-Private" GitHub App

It is possible to create an App but only allow certain organizations to share it? 

Our company has several organizations for different purposes. I’d like to create an App that can be used by all of them, but only them. I don’t want just anyone on the interest to be able to install my App. 

Is this currently possible? If so, how? If not, what is the best channel for requesting this functionality be added?

Hi @tduffield,

Thanks for being here! I believe you can accomplish this by user-based token access. For more information, see “Identifying and authorizing users for GitHub Apps”.

I hope this helps!

Thanks for the reply. I’m not sure that does exactly what I need. 

The instructions you provided go over how the App can “perform actions on behalf of a user,” but my question is specifically around the installation of the App itself. One of the reasons we wanted to move towards an App is because we wanted our actions to be taken by the Application, not a “user.” 

Thanks for the clarification, unfortunately, there is no way to do that as of yet. The only options are Private, or internal, and this GitHub Apps can only be installed on the user or organization account of the owner. More granular permissions like you are requesting is something the API team is working on. I’ve taken your suggestion and passed it along to the appropriate teams. Thanks again for reaching out

1 Like

Hi @tduffield, keep in mind that GitHub App URLs are not published anywhere public to my knowledge. So as long as you’re not distributing your GitHub App age publicly, your GitHub App should be semi-private, similar to an “unlisted” YouTube video, for lack of a better example.

We have a few GitHub Apps that are ‘public’ and widely used across our orgs.

When a new installation is created, and also as part of a daily job where we validate all installs, we remove any installations that do not meet our requirements (i.e. a repo install, where our app only performs org-level things of note) using the delete installation API.

We also ‘activate’ installations in our own metadata store by one of our admins - so until it is ‘active’, we discard any and all webhook events and do not allow it to perform any actions. Eventually we delete the install if one of our employees doesn’t let us know it was a legit install.