Skip to content

SYSTEM Cited by 1 source

GitHub Apps

GitHub Apps are GitHub's first-class extension mechanism for third-party and first-party integrations against the GitHub API. Each App has:

  • A public identity (name, logo, description) visible in the installations UI.
  • A cryptographic identity (private key; authenticates as the App, and can further authenticate as an App-installation-scoped token per-repo).
  • A permission scope declared at registration — each permission (read code, write issues, write commit statuses, etc.) is granted explicitly.
  • An installation target — specific repos in specific orgs, not blanket account access.
  • An optional webhook — events the App wants to receive, delivered to a configured HTTPS endpoint with a shared webhook secret.

Why organisations pick Apps over OAuth / PAT

  • Least-privilege by permission list. An App can be scoped to exactly what it needs (Figma's verifier: read code + write commit status; nothing else). See concepts/least-privileged-access.
  • Independent of individual users. The App's capability doesn't go away when the installing engineer leaves.
  • Per-installation tokens are short-lived and scoped per repo, so compromise blast-radius is smaller than a PAT.
  • Event-driven via webhooks out of the box; pairs naturally with Lambda-backed verifiers.

Stub page

This is a stub; full GitHub Apps architecture is out of scope for the current wiki. Referenced only where a specific App is the integration primitive of interest.

Seen in

Last updated · 200 distilled / 1,178 read