1.2.2.1 Web Application Flow

The web application flow to authorize users for your app is:

1. Users are redirected to request their GitHub identity
2. Users are redirected back to your site by GitHub
3. Your app accesses the API with the user’s access token

1. Request a user’s GitHub identity

   GET https://github.com/login/oauth/authorize
   

   When your GitHub App specifies a ‘login’ parameter, it prompts users with a specific account they can use for signing in and authorizing your app.

   1. Parameters

      client_id

      (string) Required The client ID you received from GitHub when you registered.

      redirect_uri

      (string) The URL in your application where users will be sent after authorization.

      login

      (string) Suggests a specific account to use for signing in and authorizing the app.

      scope

      (string) A space-delimited list of scopes. If not provided, scope defaults to an empty list for users that have not authorized any scopes for the application.

      state

      (string) An unguessable random string. It is used to protect against cross-site request forgery attacks.

      allow_signup

      (string) Whether or not unauthenticated users will be offered an option to sign up for GitHub during the OAuth flow. The default is ‘true’.

2. Users are redirected back to your site by GitHub

   If the user accepts your request, GitHub redirects back to your site with a temporary code in a code parameter as well as the state you provided in the previous step in a state parameter. The temporary code will expire after 10 minutes. If the states don’t match, then a third party created the request, and you should abort the process.

   Exchange this code for an access token:

   POST https://github.com/login/oauth/access_token
   

   1. Parameters

      client_id

      (string) Required The client ID you received from GitHub for your GitHub App.

      client_secret

      (string) Required The client secret you received from GitHub for your GitHub App.

      code

      (string) Required The code you received as a response to Step 1.

      redirect_url

      (string) The URL in your application where users are sent after authorization.

      state

      (string) The unguessable random string you provided in Step 1.

   2. Response

      By default, the response takes the following form:

      access_token=e72e16c7e42f292c6912e7710c838347ae178b4a&token_type=bearer
      

      You can also receive the content in different formats depending on the ‘Accept’ header:

      Accept: application/json
      {"access_token":"e72e16c7e42f292c6912e7710c838347ae178b4a", "scope":"repo,gist", "token_type":"bearer"}
      
      Accept: application/xml
      <OAuth>
        <token_type>bearer</token_type>
        <scope>repo,gist</scope>
        <access_token>e72e16c7e42f292c6912e7710c838347ae178b4a</access_token>
      </OAuth>
      

3. Use the access token to access the API

   The access token allows you to make requests to the API on a behalf of a user.

   Authorization: token OAUTH-TOKEN
   GET https://api.github.com/user
   

   For example, in curl you can set the Authorization header like this:

   curl -H "Authorization: token OAUTH-TOKEN" https://api.github.com/user