A GitHub App can request an installation access token by using a private key with a JSON web token format out-of-band.
An installation token identifies the app as the GitHub Apps bot, such as @jenkins-bot.
Installation tokens expire after a predefined amount of time (currently 1 hour).
An OAuth app can exchange a request token for an access token after a redirect via a web request.
An access token identifies the app as the user who granted the token to the app, such as @octocat.
OAuth tokens remain active until they’re revoked by the customer.