Support GitHub App authentication with client credentials

[robosek]

Currently, the server only supports authentication via Personal Access Tokens (PAT) or OAuth.

For organizations managing multiple integrations, GitHub Apps are preferred because they:

• Provide more granular permissions
• Include all repos in organization (PAT includes only 50)

Add support for GitHub App authentication using:

• App ID
• Client ID
• Private key (path to .pem file or secret)

This would allow the server to generate installation tokens programmatically instead of requiring PATs.

Alternative configuration:
{
"GITHUB_APP_ID": "123456",
"GITHUB_CLIENT_ID": "Iv1.abc123",
"GITHUB_PRIVATE_KEY_PATH": "/path/to/private-key.pem"
}

Is this on the roadmap?

[almaleksia]

GitHub MCP supports installation tokens, you can generate it following this doc: https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/generating-an-installation-access-token-for-a-github-app

You can use this token instead of PAT.

[opsteamp44]

@almaleksia Does it support User access tokens?
I tried creating a device token for the app using my user and it didn't work

[almaleksia]

Yes, we support user access tokens. What do you mean by device token? At the end of the flow described here you should get the token that starts with ghu_ prefix.

Can you describe step by step how you generate token and what error are you getting?

[SamMorrowDrums]

Can you have a look at #1649 it provides a secure url elicitation oauth flow including bring your own app, with client id and secret.

Right now it's experimental, but in hope it will be merged eventually.

[wischli]

GitHub MCP supports installation tokens, you can generate it following this doc: https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/generating-an-installation-access-token-for-a-github-app

You can use this token instead of PAT.

As per the docs, these tokens expire after an hour which makes it impractical?!

[almaleksia]

That's how app authentication flow works according to OAuth, you have long lived refresh tokens and short-lived access tokens. The client is responsible for requesting new tokens when old ones expire.

[SamMorrowDrums]

Try this testing release of STDIO server with baked in oauth app that also supports bring your own app:

#132 (comment)