Next: , Previous: , Up: Getting Started with Apps   [Index]


1.1.3 Understand the Different Methods of Authentication

GitHub Apps primarily use a token-based authentication that expires after a short amount of time, providing more security than an OAuth token that does not expire. It’s important to understand the different methods of authentication available to you and when you need to use them:

A JSON Web Token (JWT)

authenticates as the GitHub App. For example, you can authenticate with a JWT to fetch application installation details or exchange the JWT for an installation access token.

An installation access token

authenticates as a specific installation of your GitHub App (also called server-to-server requests). For example, you can authenticate with an installation access token to open an issue or provide feedback on a pull request.

The most common scenario is to authenticate as a specific installation using an installation access token.

An OAuth access token

can authenticate as a user of your GitHub App (also called user-to-server requests). For example, you can use an OAuth access token to authenticate as a user when a GitHub App needs to verify a user’s identity or act on a user’s behalf.