A GitHub App Installation Token is a short-lived access token that allows a GitHub App to interact with specific repositories or organizations where it has been installed β on behalf of itself, not a user.
π Why is it Needed?
GitHub Apps do not use OAuth tokens like traditional apps. Instead, they:
- Authenticate as the App using a JWT (JSON Web Token).
- Exchange the JWT for an installation token for a specific installation of the app (per repo/org).
- Use the installation token to make authenticated API calls (REST or GraphQL).
β What Can You Do with an Installation Token?
Once issued, an installation token:
- Acts on behalf of the GitHub App installation
- Honors the app’s granted permissions and scopes
- Is limited to specific repositories where the app is installed
- Expires in 1 hour
Example: If your GitHub App is installed on
octo-org/repo-aandrepo-b, your installation token can only access those, not others.
π οΈ How to Generate an Installation Token (Step-by-Step)
Step 1: Generate a JWT (as the App)
Use your appβs private key:
const jwt = require('jsonwebtoken');
const fs = require('fs');
const appId = 'YOUR_APP_ID';
const privateKey = fs.readFileSync('private-key.pem');
const token = jwt.sign(
{
iat: Math.floor(Date.now() / 1000),
exp: Math.floor(Date.now() / 1000) + (10 * 60),
iss: appId,
},
privateKey,
{ algorithm: 'RS256' }
);
Step 2: Get Installation ID
Make a request using JWT to get installation ID:
GET /app/installations
Authorization: Bearer <JWT>
Step 3: Exchange JWT for Installation Token
Use the installation ID from Step 2:
POST /app/installations/:installation_id/access_tokens
Authorization: Bearer <JWT>
Response:
{
"token": "v1.abc123...",
"expires_at": "2025-05-14T12:00:00Z"
}
Step 4: Use Installation Token to Call GitHub API
GET /repos/octo-org/repo-a/issues
Authorization: token v1.abc123...
π Installation Token vs OAuth Token
| Feature | Installation Token | OAuth Token |
|---|---|---|
| Acts as | GitHub App installation | Authenticated user |
| Scope | Repo/org installation | Userβs authorized scopes |
| Use case | Automation, bots, CI/CD | User-based access and interaction |
| Expiry | 1 hour | Long-lived unless revoked |
π§ Example Use Cases
- CI/CD pipelines using GitHub Apps
- Auto-responders on issues/pull requests
- Infrastructure automation (e.g., with Terraform)
- Custom bots interacting with GitHub
π§ͺ Final Notes
- You must use a JWT to request an installation token.
- Installation tokens cannot be refreshed β regenerate when expired.
- Use Octokit or Probot for easier abstraction.
Iβm a DevOps/SRE/DevSecOps/Cloud Expert passionate about sharing knowledge and experiences. I am working at Cotocus. I blog tech insights at DevOps School, travel stories at Holiday Landmark, stock market tips at Stocks Mantra, health and fitness guidance at My Medic Plus, product reviews at I reviewed , and SEO strategies at Wizbrand.
Do you want to learn Quantum Computing?
Please find my social handles as below;
Rajesh Kumar Personal Website
Rajesh Kumar at YOUTUBE
Rajesh Kumar at INSTAGRAM
Rajesh Kumar at X
Rajesh Kumar at FACEBOOK
Rajesh Kumar at LINKEDIN
Rajesh Kumar at PINTEREST
Rajesh Kumar at QUORA
Rajesh Kumar at WIZBRAND
