GitHub
The GitHub enables tools and to call GitHub APIs on behalf of a .
Want to quickly get started with GitHub in your or AI app? The pre-built Arcade GitHub MCP Server is what you want!
What’s documented here
This page describes how to use and configure GitHub auth with Arcade.
This is used by:
- The Arcade GitHub MCP Server, which provides pre-built for interacting with GitHub
- Your app code that needs to call the GitHub API
- Or, your custom tools that need to call the GitHub API
Why Arcade Uses GitHub Apps (Not OAuth Apps)
Arcade’s Decision
Arcade’s security team selected GitHub Apps over OAuth Apps for the GitHub toolkit based on three critical factors:
-
🎯 GitHub’s Recommendation: OAuth Apps are soft-deprecated. GitHub actively recommends Apps for new integrations and invests in their development.
-
🔐 Fine-Grained Security: GitHub Apps support granular permissions (e.g., “Read pull requests”), while OAuth Apps only offer coarse scopes (e.g.,
repo= full repository access). -
🏢 Enterprise Control: Admins can approve exact permissions and see all app installations. OAuth Apps bypass organizational oversight.
Important: When creating your GitHub integration with Arcade, you must use a GitHub App (not an OAuth App). GitHub Apps provide the security and permission model required for production use.
Quick Comparison
| Aspect | 🏆 GitHub Apps (Required) | OAuth Apps (Not Supported) |
|---|---|---|
| Permissions | Fine-grained (e.g., “Read contents”) | Broad scopes (e.g., repo = full access) |
| Installation | Per repository/org (admin approval) | Per user (no approval) |
| Access | Only installed repositories | All user repositories |
| Tokens | Scoped, short-lived | Broad, long-lived |
| Identity | Acts as app | Acts as user |
| Security | ⭐⭐⭐⭐⭐ Highest | ⭐⭐⭐ Good |
| Best For | Production, CI/CD, Enterprise | Personal, Prototypes |
Why Enterprises Choose GitHub Apps
| 🔐 Permission Model | Least-privilege access. Grant only exact permissions needed (e.g., “Read contents” vs full |
| 🏢 Installation | Centralized control. IT/security teams see all app installations, enforce policies, prevent shadow IT. Admin approval ensures integrations are vetted and documented. |
| 🎯 Access Scope | Reduced attack surface. Apps only access explicitly installed repositories. Critical for organizations with repositories at different sensitivity levels. |
| 🔑 Token Type | Better security posture. Tokens are scoped and revocable instantly. Long-lived OAuth tokens remain valid for months if compromised. |
| 👤 Identity | Clear accountability. Actions attributed to app, not . Essential for compliance audits and security investigations. |
| 📊 Audit Trail | Clear audit logs. Easy to identify automated vs human actions. Essential for SOC 2, HIPAA compliance. |
Creating a GitHub App
You must create a GitHub App (not an OAuth App). The “OAuth App” option in GitHub does not provide the fine-grained permissions model required for secure production use.
Navigate to GitHub App Settings
- Log in to GitHub and click your profile picture (top-right corner)
- Click Settings from the dropdown menu
- Scroll down in the left sidebar and click Developer settings
- Click GitHub Apps in the left sidebar
- Click New GitHub App button
Configure Basic Information
Fill in the following fields:
- GitHub App name: Enter a descriptive name (e.g., “My Company GitHub Integration”)
- This name will be visible to when installing the app
- Homepage URL: Your application homepage URL
- authorization callback URL: The redirect URL generated by Arcade (you’ll get this in step 4)
- Webhook URL: Leave blank unless you need webhooks
- Webhook secret: Leave blank unless you need webhooks
Important settings:
- Leave “Expire authorization tokens” checked ✅
- Enable “Request authorization (OAuth) during installation” checked ✅
- Critical: This enables -to-server authentication flow
- Allows the app to act on behalf of authenticated
- Required for Arcade’s authentication model
- Learn more about user authorization
- Leave “Setup URL” blank and “Redirect on update” unchecked ❌
- Ensure “Optional features > -to-server token expiration” is enabled ✅
Set Permissions
Configure permissions based on your needs. At minimum:
Repository Permissions:
- Contents: Read (required for most ), Write (for file operations and branch creation)
- Issues: Read & Write (for issue management and labels)
- Metadata: Read (automatically selected)
- Pull requests: Read & Write (for PR management and reviews)
- Statuses: Read (for CI/CD status checks)
Organization Permissions:
- Members: Read (for collaborators, teams, org )
- : Read & Write (for Projects V2 management)
Permissions:
- Email addresses: Read (minimum required)
- Read profile: Read (for user )
- Act on behalf of : Enable for user-attributed actions (starring repos, user activity feed)
“Act on behalf of ” is only needed when actions should be attributed to the user rather than the app. Without this permission:
- ✅ The app can still access and read /org data
- ✅ The app can perform actions (attributed to the app, not the )
- ❌ -specific actions (starring repos) won’t work
- ❌ Actions won’t appear in the ’s activity feed
When you need it: Starring repositories, activity attribution, user-specific rate limits.
See the Complete Permissions Reference below for detailed permissions needed by each .
Set Installation Options
- Personal use: Select “Only on this ”
- Organization use: Select “Any ”
Create the App
- Review all settings
- Click Create GitHub App
- You’ll be redirected to your app’s settings page
Note Your Credentials
After creating the app, you’ll need these credentials for Arcade configuration:
- Client ID: Found in the “About” section of your app settings
- Client Secret:
- Click Generate a new client secret
- Copy it immediately (you cannot view it again!)
- Store it securely
Arcade Does Not Require Private Keys or Installation IDs
Unlike some GitHub App integrations, Arcade’s architecture uses -to-server tokens (OAuth flow) rather than installation tokens. This means:
- ✅ You only need: Client ID and Client Secret
- ❌ You do NOT need: Private Key (.pem file) or Installation ID
- ✅ Simpler setup with fewer credentials to manage
- ✅ Users authorize the app directly when they use your
Install the App
After creating your GitHub App, you need to install it to make it functional. Installation grants the app access to specific repositories.
- In your GitHub App settings page, click Install App in the left sidebar
- Click Install next to the where you want to install the app
- Choose repository access:
- All repositories: Access to all current and future repos (convenient but less secure)
- Only select repositories: Only specific repos (recommended for production)
- If selecting specific repositories, choose which repos the app can access
- Click Install to complete the installation
For Organizations: If you’re installing on an organization, an admin may need to approve the installation. Organization members can request installation, which sends a notification to org owners. Learn more about GitHub App installations
Important: Users must authorize the app separately from installation. When a user first uses your /app, Arcade will redirect them to GitHub to authorize the app. This grants the app permission to act on their behalf. Learn more about authorization
For Private Organization Repositories
If you need to access private repositories in an organization:
- Make the app public: In app settings → Advanced → Make public
- Public apps can be installed on any
- Private apps can only be installed on the owning
- Install on the organization: Install app → Select your organization
- Organization admin approval: An org owner must approve the installation
- authorization: Each user must authorize the app when they first use it
Organization admins can review and manage all GitHub App installations at: Settings → Integrations → Applications → Installed GitHub Apps. Learn more about reviewing installations
Understanding GitHub App Authorization Flow
GitHub Apps use a two-step process that separates installation from authorization:
1. Installation (One-time, Admin Action)
Who: Repository admin or organization owner
What: Installs the app on specific repositories
Grants: App can access those repositories’ data
This happens once when setting up the app. Installation guide
2. User Authorization (Per-User, First Use)
Who: Each individual
What: Authorizes the app to act on their behalf
Grants: App can perform actions as that user
This happens when a user first interacts with your /app. Arcade handles this automatically. Authorization guide
Key Differences
| Aspect | Installation | Authorization |
|---|---|---|
| When | Once per repository/org | Once per user |
| Who | Admin/Owner | Individual user |
| Grants | Repository access | User-level permissions |
| Revocable by | Admin or user | User only |
| Required for | App to see repos | App to act as user |
Why Both? This two-layer model provides security and control:
- Installation = “Which repos can this app access?”
- Authorization = “Can this app act on my behalf?”
can revoke authorization without affecting the installation. Admins can remove installations without affecting other users’ authorizations.
Managing User Authorizations
How Users Revoke Authorization
Users can revoke their authorization to your GitHub App at any time. This is important for privacy and security.
Steps for :
- Go to GitHub Settings → Applications → Authorized GitHub Apps
- Find your app in the list
- Click Revoke next to the app name
- Confirm the revocation
Direct Link: github.com/settings/apps/authorizations
When a revokes authorization:
- Their access token is immediately invalidated
- The app can no longer act on their behalf
- The app installation remains active (admin can still manage it)
- User can reauthorize later by using your /app again
How Admins Revoke App Installation
Organization owners and repository admins can remove app installations:
Steps for Admins:
- Go to Settings → Applications → Installed GitHub Apps
- Find the app in the list
- Click Configure next to the app
- Scroll to the bottom and click Uninstall
- Confirm the uninstallation
Direct Link: github.com/settings/installations
When an admin uninstalls an app:
- The app loses access to all repositories in that installation
- All authorizations for that installation are revoked
- will need to wait for reinstallation before reauthorizing
- This affects all who were using the app
Difference: Revoke Authorization vs Uninstall
| Action | Who Can Do It | What Happens | Scope |
|---|---|---|---|
| Revoke Authorization | Individual user | User’s token invalidated | Only that user |
| Uninstall App | Admin/Owner | App loses repo access | All users |
Best Practices:
- Users should revoke authorization when they stop using your
- Admins should uninstall when the app is no longer needed organization-wide
- After permission changes, should revoke and reauthorize to get updated permissions
Configuring GitHub Auth in Arcade
When using your own app credentials, make sure you configure your to use a custom user verifier. Without this, your end-users will not be able to use your app or in production.
Dashboard GUI
Configure via Arcade Dashboard
Access the Arcade Dashboard
Go to api.arcade.dev/dashboard . If self-hosting, use http://localhost:9099/dashboard (adjust host/port as needed).
Navigate to OAuth Providers
- Under OAuth section, click Providers
- Click Add OAuth Provider (top-right)
- Select Included Providers tab
- In Provider dropdown, select GitHub
Enter Provider Details
- ID: Choose unique ID (e.g., “my-github-provider”)
- Description: Optional description
- Client ID: From your GitHub app
- Client Secret: From your GitHub app
- Redirect URL: Note the URL generated by Arcade - add this to your GitHub app’s “Callback URL”
Create the Provider
Click Create button. The provider is now ready to use.
When you use tools requiring GitHub auth with your Arcade , Arcade automatically uses this provider. For multiple providers, see using multiple auth providers.
Using GitHub Auth in App Code
Use the GitHub to get a token for the GitHub API. See authorizing agents with Arcade for details.
Use client.auth.start() to get a token:
Python
import requests
from arcadepy import Arcade
client = Arcade() # Automatically finds the `ARCADE_API_KEY` env variable
user_id = "{arcade_user_id}"
"""
In this example, we use Arcade to authenticate with GitHub and retrieve
the number of stargazers of the ArcadeAI/arcade-ai repository.
There is a tool for that in the Arcade SDK, which simplifies the process.
Below we're showing how to use Arcade as an auth provider directly.
"""
# Start the authorization process
auth_response = client.auth.start(
user_id=user_id,
provider="github",
)
if auth_response.status != "completed":
print("Please complete the authorization challenge in your browser:")
print(auth_response.url)
# Wait for the authorization to complete
auth_response = client.auth.wait_for_completion(auth_response)
if not auth_response.context.token:
raise ValueError("No token found in auth response")
token = auth_response.context.token
owner = "ArcadeAI"
name = "arcade-ai"
headers = {
"Accept": "application/vnd.github+json",
"Authorization": f"Bearer {token}",
"X-GitHub-Api-Version": "2022-11-28",
}
url = f"https://api.github.com/repos/{owner}/{name}"
response = requests.get(url, headers=headers)
response.raise_for_status()
print(response.json().get("stargazers_count"))Using GitHub Auth in Custom Tools
Use the pre-built Arcade GitHub MCP Server for quick GitHub integration.
For custom , use the GitHub() auth class. The context.authorization.token field will be automatically populated:
from typing import Annotated
import httpx
from arcade_tdk import ToolContext, tool
from arcade_tdk.auth import GitHub
@tool(requires_auth=GitHub())
async def count_stargazers(
context: ToolContext,
owner: Annotated[str, "The owner of the repository"],
name: Annotated[str, "The name of the repository"],
) -> Annotated[int, "The number of stargazers (stars) for the specified repository"]:
"""Count the number of stargazers (stars) for a GitHub repository."""
if not context.authorization or not context.authorization.token:
raise ValueError("No token found in context")
headers = {
"Accept": "application/vnd.github+json",
"Authorization": f"Bearer {context.authorization.token}",
"X-GitHub-Api-Version": "2022-11-28",
}
url = f"https://api.github.com/repos/{owner}/{name}"
async with httpx.AsyncClient() as client:
response = await client.get(url, headers=headers)
response.raise_for_status()
return response.json().get("stargazers_count", 0)Tool Permissions Reference
This section lists the GitHub App permissions required by tools in the Arcade GitHub Server.
Summary Table
| Tool Category | Required Permissions |
|---|---|
| Issues | Contents (Read), Issues (Read/Write), Metadata (Read) |
| Pull Requests | Contents (Read), Pull requests (Read/Write), Metadata (Read) |
| Projects | Contents (Read), Metadata (Read), Projects (Read/Write), Members (Read) |
| Repositories | Contents (Read/Write for file ops), Metadata (Read), Members (Read for org repos) |
| Reviews | Contents (Read), Pull requests (Read/Write), Metadata (Read) |
| User Context | Read user profile, Members (Read for orgs) |
| Notifications | ⚠️ Classic PAT with notifications scope (GitHub Apps limitation) |
Detailed Permissions by Category
Issues
Issues (7 tools):
create_issue,update_issue,create_issue_comment,list_issues,get_issue,list_repository_labels,manage_labels(for issues)
Required:
- Repository: Contents (Read), Issues (Read/Write), Metadata (Read)
- Organization: (Read/Write) - only for
create_issuewhen adding to org project
Important Gotchas
These are common issues encounter. Read this section to avoid frustration!
Permission Changes Require User Reauthorization
When you modify permissions in your GitHub App settings, existing authorizations don’t automatically receive the new permissions.
What Happens:
- You update permissions in GitHub App settings
- Organization admins may need to approve the changes
- Existing tokens still have old permissions
- must reauthorize to get new permissions
Solution:
- should revoke their authorization in Arcade and reauthorize
- Or, admins can revoke all authorizations in GitHub App settings
- New will automatically get the updated permissions
Learn more about permission updates
404 Errors Can Mean Missing Permissions or Installation
GitHub returns 404 Not Found (not 403 Forbidden) in several scenarios:
Possible Causes:
- App not installed on the target repository
- Permissions not approved by organization admin
- Repository doesn’t exist or you lack access
- hasn’t authorized the app yet
Why 404 Instead of 403?
GitHub doesn’t reveal which repositories exist when you lack access (security by obscurity).
Solution:
- Verify the app is installed on the target repository
- Check that all required permissions are approved
- Ensure the has authorized the app
- Confirm the repository path is correct
Installing on Additional Repositories
After initial installation, you can add more repositories:
Via GitHub Settings:
- Go to Settings → Applications → Installed GitHub Apps
- Click on your app name
- Click Configure
- Under “Repository access”, click Select repositories
- Choose additional repositories
- Click Save
Official guide for managing installations
Permissions ≠ Scopes
- GitHub Apps use permissions (fine-grained), not scopes (OAuth Apps)
- Scopes aren’t present in GitHub App tokens
- is still limited by their own GitHub permissions (can’t elevate privileges)
Personal vs Organization GitHub Apps
Functionally the same, but:
- Personal app: You own and manage it
- Organization app: Org owns it, can be managed by org admins
- Both can be installed on any if “Any account” is selected
Troubleshooting
Common Errors
| Error | Cause | Solution |
|---|---|---|
| ”Resource not accessible by integration” | Missing permissions or not installed on repo | Verify permissions and installation |
| ”Installation not found” | Wrong Installation ID | Check Installation ID in URL |
| ”403 Forbidden” | Missing permissions, not installed, or rate limited | Review permissions, check installation |
| ”404 Not Found” on existing repo | Permissions not approved by admin | Check app settings → verify permissions approved |
| Notifications not working | GitHub Apps can’t access notifications | Use classic PAT with notifications scope |
| Can’t star repositories | Missing “Act on behalf of user” permission | Enable in User permissions settings |
Debugging Steps
-
Verify Installation
- Go to Settings → Applications → Installed GitHub Apps
- Confirm app is installed on target repository
- Review your installations
-
Check Authorization
- Verify the has authorized the app
- can check at: Settings → Applications → Authorized GitHub Apps
- If not authorized, user needs to use your /app to trigger authorization flow
-
Check Permissions
- Review app settings → Permissions & events
- Ensure all required permissions are granted
- Verify organization approval (if applicable)
- After changing permissions: must reauthorize
-
Test Credentials
- Verify Client ID and Client Secret are correct in Arcade dashboard
- Ensure redirect URL in GitHub matches Arcade’s generated URL
- Check that “Request authorization (OAuth) during installation” is enabled
Frequently Asked Questions
General
Q: Is GitHub Apps free? A: Yes! Free GitHub support GitHub Apps. No paid plan needed.
Q: Can I use one app for multiple ? A: Yes! Install the same app on multiple repositories. Each gets a unique Installation ID.
Q: What if I lose my private key? A: Generate a new one from app settings. The old key will be invalidated. You cannot recover lost keys.
Installation
Q: Do I need to be an org owner? A: To create an app: No (any can create). To install on org: Yes (or need owner approval). Organization owners control which apps can be installed. Learn more
Q: How do I install the app on additional repositories? A: Settings → Applications → Installed GitHub Apps → Click your app → Configure → Select additional repositories.
Q: Can I change permissions later? A: Yes, anytime. After changing:
- Organization installs require admin approval for new permissions
- must reauthorize for new permissions to take effect
- Best practice: should revoke old authorization and reauthorize
- Guide to updating permissions
Usage
Q: Which need org permissions? A: Project management, collaborators listing, org repo listing, and user search within org .
Q: What’s the rate limit? A: GitHub Apps: 5,000/hour per installation + 12,500/hour for endpoints. OAuth: 5,000/hour total.
Q: Can I use with GitHub Enterprise? A: Yes! Works with GitHub Enterprise Server 2.22+. Just set the API URL to your Enterprise instance.
Q: Why can’t I star repositories? A: Starring repositories requires the “Act on behalf of ” permission:
- Enable “Act on behalf of ” in User permissions section
- This permission makes actions appear as the (not the app)
- Users must authorize this permission when they first use your
- The app can still read and perform other actions without this permission
- Why this permission exists
Q: Why can’t I access notifications? A: Notifications require a classic PAT (GitHub Apps cannot access notifications API by design):
- This is a platform limitation, not an Arcade limitation
- Create a classic PAT at github.com/settings/tokens with
notificationsscope - Why GitHub Apps can’t access notifications
Security
Q: What if my credentials are compromised? A: Immediately take these steps:
- Revoke the Client Secret in GitHub App settings
- Generate a new Client Secret
- Update your Arcade OAuth provider configuration
- Review GitHub audit logs for suspicious activity
- Consider revoking all authorizations
- Notify affected if necessary
GitHub security best practices
Q: Why can’t the app access all my repositories? A: Security by design. Apps only access repositories they’re explicitly installed on. This limits blast radius if compromised.
Configuration Checklist
Use this checklist to ensure proper setup:
- Created GitHub App (not OAuth App)
- Set all required permissions (Contents, Issues, Pull requests, etc.)
- Enabled “Request authorization (OAuth) during installation” ✅
- Enabled “Act on behalf of ” for user-level actions
- Generated and securely stored Client Secret
- Noted Client ID
- Installed app on target repositories (or made public for any )
- Added Arcade redirect URL to GitHub app callback URL
- Configured OAuth provider in Arcade dashboard
- Tested with a simple call
-
Generated private key(Not needed for Arcade) -
Noted Installation ID(Not needed for Arcade)
Additional Resources
Official GitHub Documentation
- GitHub Apps Overview
- Installing Your Own GitHub App
- Installing a GitHub App from a Third Party
- Authorizing GitHub Apps
- Reviewing and Revoking Authorization
- Approving Updated Permissions
- GitHub API Documentation
- Security Best Practices
Arcade Resources
💡 Remember: Always use GitHub Apps (not OAuth Apps), enable authorization during installation, and store credentials securely!