What is GitHub App Installation Token?

Upgrade & Secure Your Future with DevOps, SRE, DevSecOps, MLOps!

We spend hours scrolling social media and waste money on things we forget, but won’t spend 30 minutes a day earning certifications that can change our lives.
Master in DevOps, SRE, DevSecOps & MLOps by DevOpsSchool!

Learn from Guru Rajesh Kumar and double your salary in just one year.

A GitHub App Installation Token is a short-lived access token that allows a GitHub App to interact with specific repositories or organizations where it has been installed — on behalf of itself, not a user.

🔐 Why is it Needed?

GitHub Apps do not use OAuth tokens like traditional apps. Instead, they:

Authenticate as the App using a JWT (JSON Web Token).
Exchange the JWT for an installation token for a specific installation of the app (per repo/org).
Use the installation token to make authenticated API calls (REST or GraphQL).

✅ What Can You Do with an Installation Token?

Once issued, an installation token:

Acts on behalf of the GitHub App installation
Honors the app’s granted permissions and scopes
Is limited to specific repositories where the app is installed
Expires in 1 hour

Example: If your GitHub App is installed on octo-org/repo-a and repo-b, your installation token can only access those, not others.

🛠️ How to Generate an Installation Token (Step-by-Step)

Step 1: Generate a JWT (as the App)

Use your app’s private key:

const jwt = require('jsonwebtoken');
const fs = require('fs');

const appId = 'YOUR_APP_ID';
const privateKey = fs.readFileSync('private-key.pem');

const token = jwt.sign(
  {
    iat: Math.floor(Date.now() / 1000),
    exp: Math.floor(Date.now() / 1000) + (10 * 60),
    iss: appId,
  },
  privateKey,
  { algorithm: 'RS256' }
);
Code language: JavaScript (javascript)

Step 2: Get Installation ID

Make a request using JWT to get installation ID:

GET /app/installations
Authorization: Bearer <JWT>
Code language: HTML, XML (xml)

Step 3: Exchange JWT for Installation Token

Use the installation ID from Step 2:

POST /app/installations/:installation_id/access_tokens
Authorization: Bearer <JWT>
Code language: HTML, XML (xml)

Response:

{
  "token": "v1.abc123...",
  "expires_at": "2025-05-14T12:00:00Z"
}
Code language: JSON / JSON with Comments (json)

Step 4: Use Installation Token to Call GitHub API

GET /repos/octo-org/repo-a/issues
Authorization: token v1.abc123...

🔄 Installation Token vs OAuth Token

Feature	Installation Token	OAuth Token
Acts as	GitHub App installation	Authenticated user
Scope	Repo/org installation	User’s authorized scopes
Use case	Automation, bots, CI/CD	User-based access and interaction
Expiry	1 hour	Long-lived unless revoked

🧠 Example Use Cases

CI/CD pipelines using GitHub Apps
Auto-responders on issues/pull requests
Infrastructure automation (e.g., with Terraform)
Custom bots interacting with GitHub

🧪 Final Notes

You must use a JWT to request an installation token.
Installation tokens cannot be refreshed — regenerate when expired.
Use Octokit or Probot for easier abstraction.

Rajesh Kumar

I’m a DevOps/SRE/DevSecOps/Cloud Expert passionate about sharing knowledge and experiences. I have worked at Cotocus. I share tech blog at DevOps School, travel stories at Holiday Landmark, stock market tips at Stocks Mantra, health and fitness guidance at My Medic Plus, product reviews at TrueReviewNow , and SEO strategies at Wizbrand.

Do you want to learn Quantum Computing?

Please find my social handles as below;

Rajesh Kumar Personal Website
Rajesh Kumar at YOUTUBE
Rajesh Kumar at INSTAGRAM
Rajesh Kumar at X
Rajesh Kumar at FACEBOOK
Rajesh Kumar at LINKEDIN
Rajesh Kumar at WIZBRAND

Certification Courses

DevOpsSchool has introduced a series of professional certification courses designed to enhance your skills and expertise in cutting-edge technologies and methodologies. Whether you are aiming to excel in development, security, or operations, these certifications provide a comprehensive learning experience. Explore the following programs: