When you register a GitHub App, you can specify a setup URL. When users install your GitHub App, they are redirected to the setup URL. If additional setup is required after installation, you can use this URL to tell users what steps to take next.
If you specify a setup URL, you can also select Redirect on update to specify that users should be redirected to the setup URL after they update an installation. An update includes adding or removing access to a repository for an installation.
Warning
When GitHub redirects users to the setup URL, it includes an installation_id
query parameter. Bad actors can hit this URL with a spoofed installation_id
. Therefore, you should not rely on the validity of the installation_id
parameter. Instead, you should generate a user access token for the user who installed the GitHub App and then check that the installation is associated with that user. For more information, see Generating a user access token for a GitHub App.
Although the setup URL is optional during GitHub App registration, it is required if you want to allow users to purchase your app in GitHub Marketplace. For more information, see Handling new purchases and free trials.
The setup URL is different from the callback URL. Users are redirected to the setup URL after they install a GitHub App. Users are redirected to the callback URL when they authorize a GitHub App via the web application flow. For more information, see About the user authorization callback URL.
For more information about registering a GitHub App, see Registering a GitHub App. For more information about modifying a GitHub App registration, see Modifying a GitHub App registration.