Skip to main content

About apps

You can build integrations with the GitHub APIs to add flexibility and reduce friction in your own workflow. You can also share integrations with others on GitHub Marketplace.

Apps on GitHub allow you to automate and improve your workflow. You can build apps to improve your workflow. You can also share or sell apps in GitHub Marketplace. To learn how to list an app on GitHub Marketplace, see "Getting started with GitHub Marketplace."

GitHub 应用程序是官方推荐的与 GitHub 集成的方式,因为它们提供更精细的数据访问权限, but GitHub supports both OAuth Apps and GitHub Apps. For information on choosing a type of app, see "Differences between GitHub Apps and OAuth Apps."

如果将应用与 GitHub Actions 一起使用,并想要修改工作流文件,则必须使用包含 workflow 作用域的 OAuth 令牌代表用户进行身份验证。 用户必须具有包含工作流程文件的仓库的管理员或写入权限。 有关详细信息,请参阅“了解 OAuth 应用的作用域”。

For a walkthrough of the process of building a GitHub App, see "Building Your First GitHub App."

About GitHub Apps

GitHub Apps are first-class actors within GitHub. A GitHub App acts on its own behalf, taking actions via the API directly using its own identity, which means you don't need to maintain a bot or service account as a separate user.

GitHub Apps can be installed directly on organizations and personal accounts and granted access to specific repositories. They come with built-in webhooks and narrow, specific permissions. When you set up your GitHub App, you can select the repositories you want it to access. For example, you can set up an app called MyGitHub that writes issues in the octocat repository and only the octocat repository. To install a GitHub App, you must be an organization owner or have admin permissions in a repository.

默认情况下,只有组织所有者才可管理组织中 GitHub 的设置。 要允许其他用户管理组织中的 GitHub 应用程序,所有者可以向他们授予 GitHub 应用程序管理员权限。 请参阅“GitHub 应用管理器”,了解如何在组织中添加和删除 GitHub 应用管理器。

GitHub Apps are applications that need to be hosted somewhere. For step-by-step instructions that cover servers and hosting, see "Building Your First GitHub App."

To improve your workflow, you can create a GitHub App that contains multiple scripts or an entire application, and then connect that app to many other tools. For example, you can connect GitHub Apps to GitHub, Slack, other in-house apps you may have, email programs, or other APIs.

Keep these ideas in mind when creating GitHub Apps:

  • 用户或组织最多可以拥有 100 个 GitHub 应用。

  • A GitHub App should take actions independent of a user (unless the app is using a user-to-server token). 为使用户到服务器的访问令牌更安全,您可以使用将在 8 小时后过期的访问令牌,以及可交换新访问令牌的刷新令牌。 有关详细信息,请参阅“刷新用户到服务器访问令牌”。

  • Make sure the GitHub App integrates with specific repositories.

  • The GitHub App should connect to a personal account or an organization.

  • Don't expect the GitHub App to know and do everything a user can.

  • Don't use a GitHub App if you just need a "Login with GitHub" service. But a GitHub App can use a user identification flow to log users in and do other things.

  • Don't build a GitHub App if you only want to act as a GitHub user and do everything that user can do.

  • 如果将应用与 GitHub Actions 一起使用,并想要修改工作流文件,则必须使用包含 workflow 作用域的 OAuth 令牌代表用户进行身份验证。 用户必须具有包含工作流程文件的仓库的管理员或写入权限。 有关详细信息,请参阅“了解 OAuth 应用的作用域”。

To begin developing GitHub Apps, start with "Creating a GitHub App." To learn how to use GitHub App Manifests, which allow people to create preconfigured GitHub Apps, see "Creating GitHub Apps from a manifest."

About OAuth Apps

OAuth2 is a protocol that lets external applications request authorization to private details in a user's GitHub account without accessing their password. This is preferred over Basic Authentication because tokens can be limited to specific types of data and can be revoked by users at any time.

警告:从 OAuth App 撤销所有权限将会删除应用程序代表用户生成的所有 SSH 密钥,包括 部署密钥

An OAuth App uses GitHub as an identity provider to authenticate as the user who grants access to the app. This means when a user grants an OAuth App access, they grant permissions to all repositories they have access to in their account, and also to any organizations they belong to that haven't blocked third-party access.

Building an OAuth App is a good option if you are creating more complex processes than a simple script can handle. Note that OAuth Apps are applications that need to be hosted somewhere.

Keep these ideas in mind when creating OAuth Apps:

  • 一个用户或组织最多可以拥有 100 个 OAuth 应用。
  • An OAuth App should always act as the authenticated GitHub user across all of GitHub (for example, when providing user notifications).
  • An OAuth App can be used as an identity provider by enabling a "Login with GitHub" for the authenticated user.
  • Don't build an OAuth App if you want your application to act on a single repository. With the repo OAuth scope, OAuth Apps can act on all of the authenticated user's repositories.
  • Don't build an OAuth App to act as an application for your team or company. OAuth Apps authenticate as a single user, so if one person creates an OAuth App for a company to use, and then they leave the company, no one else will have access to it.
  • 如果将 OAuth 应用程序与 GitHub Actions 一起使用并且想要修改工作流文件,则 OAuth 标记必须具有 workflow 作用域,并且用户必须对包含工作流文件的存储库具有所有者或写入权限。 有关详细信息,请参阅“了解 OAuth 应用的作用域

For more on OAuth Apps, see "Creating an OAuth App" and "Registering your app."

Personal access tokens

A personal access token is a string of characters that functions similarly to an OAuth token in that you can specify its permissions via scopes. A personal access token is also similar to a password, but you can have many of them and you can revoke access to each one at any time.

As an example, you can enable a personal access token to write to your repositories. If then you run a cURL command or write a script that creates an issue in your repository, you would pass the personal access token to authenticate. You can store the personal access token as an environment variable to avoid typing it every time you use it.

Keep these ideas in mind when using personal access tokens:

  • Remember to use this token to represent yourself only.
  • You can perform one-off cURL requests.
  • You can run personal scripts.
  • Don't set up a script for your whole team or company to use.
  • Don't set up a shared personal account to act as a bot user.
  • Grant your token the minimal privileges it needs.
  • Set an expiration for your personal access tokens, to help keep your information secure.

Determining which integration to build

Before you get started creating integrations, you need to determine the best way to access, authenticate, and interact with the GitHub APIs. The following image offers some questions to ask yourself when deciding whether to use personal access tokens, GitHub Apps, or OAuth Apps for your integration.

Intro to apps question flow

Consider these questions about how your integration needs to behave and what it needs to access:

  • Will my integration act only as me, or will it act more like an application?
  • Do I want it to act independently of me as its own entity?
  • Will it access everything that I can access, or do I want to limit its access?
  • Is it simple or complex? For example, personal access tokens are good for simple scripts and cURLs, whereas an OAuth App can handle more complex scripting.

Requesting support

For questions, bug reports, and discussions about GitHub Apps, OAuth Apps, and API development, explore the GitHub 社区上的 API 和集成讨论. The discussions are moderated and maintained by GitHub staff, but questions posted to the forum are not guaranteed to receive a reply from GitHub staff.

Consider reaching out to GitHub Support directly using the contact form for:

  • guaranteed response from GitHub Enterprise Cloud staff
  • support requests involving sensitive data or private concerns
  • feature requests
  • feedback about GitHub Enterprise Cloud products