diff --git a/content/admin/configuration/configuring-your-enterprise/restricting-network-traffic-to-your-enterprise-with-an-ip-allow-list.md b/content/admin/configuration/configuring-your-enterprise/restricting-network-traffic-to-your-enterprise-with-an-ip-allow-list.md index 4291dafe7ee5..8270f8ec9ecb 100644 --- a/content/admin/configuration/configuring-your-enterprise/restricting-network-traffic-to-your-enterprise-with-an-ip-allow-list.md +++ b/content/admin/configuration/configuring-your-enterprise/restricting-network-traffic-to-your-enterprise-with-an-ip-allow-list.md @@ -52,9 +52,9 @@ Using your IdP's allow list deactivates the {% data variables.product.company_sh By default, your IdP runs the CAP on the initial interactive SAML or OIDC sign-in to {% data variables.product.company_short %} for any IP allow list configuration you choose. -The OIDC CAP only applies for requests to the API using a user-to-server token, such as a token for an {% data variables.product.prodname_oauth_app %} or a {% data variables.product.prodname_github_app %} acting on behalf of a user. The OIDC CAP does not apply when a {% data variables.product.prodname_github_app %} uses a server-to-server token. For more information, see "[AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/about-authentication-with-a-github-app)" and "[AUTOTITLE](/enterprise-cloud@latest/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-support-for-your-idps-conditional-access-policy#github-apps-and-oauth-apps)." +The OIDC CAP only applies for requests to the API using a user token, such as an OAuth token for an {% data variables.product.prodname_oauth_app %} or a user access token for a {% data variables.product.prodname_github_app %} acting on behalf of a user. The OIDC CAP does not apply when a {% data variables.product.prodname_github_app %} uses an installation access token. For more information, see "[AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/about-authentication-with-a-github-app)" and "[AUTOTITLE](/enterprise-cloud@latest/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-support-for-your-idps-conditional-access-policy#github-apps-and-oauth-apps)." -To ensure seamless use of the OIDC CAP while still applying the policy to user-to-server tokens, you must copy all of the IP ranges from each {% data variables.product.prodname_github_app %} that your enterprise uses to your IdP policy. +To ensure seamless use of the OIDC CAP while still applying the policy to OAuth tokens and user access tokens, you must copy all of the IP ranges from each {% data variables.product.prodname_github_app %} that your enterprise uses to your IdP policy. ## Using {% data variables.product.company_short %}'s IP allow list diff --git a/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-support-for-your-idps-conditional-access-policy.md b/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-support-for-your-idps-conditional-access-policy.md index c3a0f1853226..8b223fc0d2a3 100644 --- a/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-support-for-your-idps-conditional-access-policy.md +++ b/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-support-for-your-idps-conditional-access-policy.md @@ -37,7 +37,7 @@ If you're unable to use a service account, another option for unblocking actions ### {% data variables.product.prodname_github_apps %} and {% data variables.product.prodname_oauth_apps %} -When {% data variables.product.prodname_github_apps %} and {% data variables.product.prodname_oauth_apps %} sign a user in and make requests on that user's behalf, also known as a [`user-to-server` request](/get-started/quickstart/github-glossary#user-to-server-request), {% data variables.product.prodname_dotcom %} will send the IP address of the app's server to your IdP for validation. If the IP address of the app's server is not validated by your IdP's CAP, the request will fail. +When {% data variables.product.prodname_github_apps %} and {% data variables.product.prodname_oauth_apps %} sign a user in and make requests on that user's behalf, {% data variables.product.prodname_dotcom %} will send the IP address of the app's server to your IdP for validation. If the IP address of the app's server is not validated by your IdP's CAP, the request will fail. When {% data variables.product.prodname_github_apps %} call {% data variables.product.prodname_dotcom %} APIs acting either as the app itself or as an installation, these calls are not performed on behalf of a user. Since your IdP's CAP executes and applies policies to user accounts, these application requests cannot be validated against CAP and are always allowed through. For more information on {% data variables.product.prodname_github_apps %} authenticating as themselves or as an installation, see "[AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/about-authentication-with-a-github-app)". diff --git a/content/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-as-a-github-app-installation.md b/content/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-as-a-github-app-installation.md index 3bf3b2181d5f..f1512107f597 100644 --- a/content/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-as-a-github-app-installation.md +++ b/content/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-as-a-github-app-installation.md @@ -19,10 +19,12 @@ For example, if you want your app to change the `Status` field of an issue on a To make an API request as an installation, you must first generate an installation access token. Then, you will send the installation access token in the `Authorization` header of your subsequent API requests. You can also use {% data variables.product.company_short %}'s Octokit SDKs, which can generate an installation access token for you. -API requests that are made by app installations are called "server-to-server requests." If a REST API endpoint works with server-to-server requests, the REST reference documentation for that endpoint will say "Works with {% data variables.product.prodname_github_apps %}." Additionally, your app must have the required permissions to use the endpoint. For more information about the permissions required for REST API endpoints, see "[Permissions required for GitHub Apps](/rest/overview/permissions-required-for-github-apps)." +If a REST API endpoint works with a {% data variables.product.prodname_github_app %} installation access token, the REST reference documentation for that endpoint will say "Works with {% data variables.product.prodname_github_apps %}." Additionally, your app must have the required permissions to use the endpoint. For more information about the permissions required for REST API endpoints, see "[Permissions required for GitHub Apps](/rest/overview/permissions-required-for-github-apps)." App installations can also use the GraphQL API. Similar to the REST API, the app must have certain permissions to access objects in the GraphQL API. For GraphQL requests, you should test you app to ensure that your app has the required permissions for the GraphQL queries and mutations that you want to make. +Requests made with an installation access token are sometimes called "server-to-server" requests. + For more information about authenticating as an app on behalf of a user instead of as an app installation, see "[AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/identifying-and-authorizing-users-for-github-apps)". ## Using an installation access token to authenticate as an app installation diff --git a/content/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-with-a-github-app-on-behalf-of-a-user.md b/content/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-with-a-github-app-on-behalf-of-a-user.md index 61d1312e726a..13a589b3bd39 100644 --- a/content/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-with-a-github-app-on-behalf-of-a-user.md +++ b/content/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-with-a-github-app-on-behalf-of-a-user.md @@ -28,6 +28,8 @@ To make an API request on behalf of a user, the user must authorize your app. If When a user installs an app on their account or organization, they grant the app permission to access the organization and repository resources that it requested. During the installation process, they will also see a list of user permissions that the app can request for individual users. When a user authorizes an app, they grant the app permission to act on their behalf, and they grant the user permissions that the app requested. -Once a user has authorized your app, you can generate a user access token, which is a type of OAuth token. You should send the user access token in the `Authorization` header of your subsequent API requests. For more information about generating a user access token, see "[AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/generating-a-user-access-token-for-a-github-app)." +Once a user has authorized your app, you can generate a user access token, which is a type of OAuth token. You should send the user access token in the `Authorization` header of your subsequent API requests. For more information about prompting a user to authorize your app and generating a user access token, see "[AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/generating-a-user-access-token-for-a-github-app)." + +Requests made with a user access token are sometimes called "user-to-server" requests. If you want to attribute app activity to the app instead of to a user, you should authenticate as an app installation instead. For more information, see "[AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-as-a-github-app-installation)." diff --git a/content/apps/creating-github-apps/authenticating-with-a-github-app/generating-a-user-access-token-for-a-github-app.md b/content/apps/creating-github-apps/authenticating-with-a-github-app/generating-a-user-access-token-for-a-github-app.md index baf50f4c5145..3096a68be699 100644 --- a/content/apps/creating-github-apps/authenticating-with-a-github-app/generating-a-user-access-token-for-a-github-app.md +++ b/content/apps/creating-github-apps/authenticating-with-a-github-app/generating-a-user-access-token-for-a-github-app.md @@ -21,7 +21,7 @@ Similarly, a user access token can only access resources that both the user and When you make API requests with a user access token, the rate limits for user access tokens apply. For more information, see "[AUTOTITLE](/apps/creating-github-apps/creating-github-apps/rate-limits-for-github-apps)." -By default, the user access token expires after 8 hours. You can use a refresh token to regenerate a user access token. For more information, see "[AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/refreshing-user-to-server-access-tokens)." +By default, the user access token expires after 8 hours. You can use a refresh token to regenerate a user access token. For more information, see "[AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/refreshing-user-access-tokens)." Users can revoke their authorization of a {% data variables.product.prodname_github_app %}. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/token-expiration-and-revocation)." If a user revokes their authorization of a {% data variables.product.prodname_github_app %}, the app will receive the `github_app_authorization` webhook. {% data variables.product.prodname_github_apps %} cannot unsubscribe from this event. If your app receives this webhook, you should stop calling the API on behalf of the user who revoked the token. If your app continues to use a revoked access token, it will receive the `401 Bad Credentials` error. For more information about this webhook, see "[AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#github_app_authorization)" @@ -59,7 +59,7 @@ If your app runs in the browser, you should use the web application flow to gene If your app is headless or does not have access to a browser, you should use the device flow to generate a user access token. For example, CLI tools or Git credential mangers should use the device flow. -{% ifversion device-flow-is-opt-in %}Before you can use the device flow to identify and authorize users, you must first enable it in your app's settings. For more information on enabling device flow, see "[AUTOTITLE](/apps/maintaining-github-apps/modifying-a-github-app)." {% endif %} +{% ifversion device-flow-is-opt-in %}Before you can use the device flow, you must first enable it in your app's settings. For more information on enabling device flow, see "[AUTOTITLE](/apps/maintaining-github-apps/modifying-a-github-app)." {% endif %} The device flow uses the OAuth 2.0 Device Authorization Grant. @@ -129,7 +129,7 @@ You can generate a user access token with this method regardless of whether the ## Using a refresh token to generate a user access token -By default, user access tokens expires after 8 hours. If you receive a user access token with an expiration, you will also receive a refresh token. The refresh token expire after 6 months. You can use this refresh token to regenerate a user access token. For more information, see "[AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/refreshing-user-to-server-access-tokens)." +By default, user access tokens expires after 8 hours. If you receive a user access token with an expiration, you will also receive a refresh token. The refresh token expire after 6 months. You can use this refresh token to regenerate a user access token. For more information, see "[AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/refreshing-user-access-tokens)." {% data variables.product.company_short %} strongly encourages you to use user access tokens that expire. If you previously opted out of using user access tokens that expire but want to reenable this feature, see "[AUTOTITLE](/apps/maintaining-github-apps/activating-optional-features-for-apps)". diff --git a/content/apps/creating-github-apps/creating-github-apps/about-apps.md b/content/apps/creating-github-apps/creating-github-apps/about-apps.md index 507febefbb61..c97589a8fde9 100644 --- a/content/apps/creating-github-apps/creating-github-apps/about-apps.md +++ b/content/apps/creating-github-apps/creating-github-apps/about-apps.md @@ -40,12 +40,12 @@ Keep these ideas in mind when creating {% data variables.product.prodname_github {% ifversion fpt or ghec %} * {% data reusables.apps.maximum-github-apps-allowed %} {% endif %} -* A {% data variables.product.prodname_github_app %} should take actions independent of a user (unless the app is using a [user-to-server](/apps/creating-github-apps/authenticating-with-a-github-app/identifying-and-authorizing-users-for-github-apps#user-to-server-requests) token). {% data reusables.apps.expiring_user_authorization_tokens %} +* A {% data variables.product.prodname_github_app %} should take actions independent of a user (unless the app is using a [user access token](/apps/creating-github-apps/authenticating-with-a-github-app/generating-a-user-access-token-for-a-github-app)). {% data reusables.apps.expiring_user_authorization_tokens %} * Make sure the {% data variables.product.prodname_github_app %} integrates with specific repositories. * The {% data variables.product.prodname_github_app %} should connect to a personal account or an organization. * Don't expect the {% data variables.product.prodname_github_app %} to know and do everything a user can. -* Don't use a {% data variables.product.prodname_github_app %} if you just need a "Login with GitHub" service. But a {% data variables.product.prodname_github_app %} can use a [user identification flow](/apps/creating-github-apps/authenticating-with-a-github-app/identifying-and-authorizing-users-for-github-apps) to log users in _and_ do other things. +* Don't use a {% data variables.product.prodname_github_app %} if you just need a "Login with GitHub" service. But a {% data variables.product.prodname_github_app %} can generate a [user access token](/apps/creating-github-apps/authenticating-with-a-github-app/generating-a-user-access-token-for-a-github-app) to log users in _and_ do other things. * Don't build a {% data variables.product.prodname_github_app %} if you _only_ want to act as a GitHub user and do everything that user can do.{% ifversion fpt or ghec %} * {% data reusables.apps.general-apps-restrictions %}{% endif %} diff --git a/content/apps/creating-github-apps/creating-github-apps/about-the-user-authorization-callback-url.md b/content/apps/creating-github-apps/creating-github-apps/about-the-user-authorization-callback-url.md index 71ee616c30a3..1f333e9acd83 100644 --- a/content/apps/creating-github-apps/creating-github-apps/about-the-user-authorization-callback-url.md +++ b/content/apps/creating-github-apps/creating-github-apps/about-the-user-authorization-callback-url.md @@ -11,10 +11,10 @@ topics: shortTitle: Callback URL --- -When you create a {% data variables.product.prodname_github_app %}, you can specify a callback URL. When you use the web application flow to identify and authorize users, users will be redirected to the callback URL after they authorize the app. +When you create a {% data variables.product.prodname_github_app %}, you can specify a callback URL. When you use the web application flow to generate a user access token in order to act on behalf of a user, users will be redirected to the callback URL after they authorize the app. -You can specify up to 10 callback URLs. If you specify multiple callback URLs, you can use the `redirect_uri` parameter when you identify and authorize a user to indicate which callback URL the user should be redirected to. If you do not specify `redirect_uri`, the first callback URL will be used. +You can specify up to 10 callback URLs. If you specify multiple callback URLs, you can use the `redirect_uri` parameter when you prompt the user to authorize your app, to indicate which callback URL the user should be redirected to. If you do not specify `redirect_uri`, the first callback URL will be used. The callback URL is different from the setup URL. Users are redirected to the setup URL after they install an app. Users are redirected to the callback URL when they authorize an app via the web application flow. -For more information about identifying and authorizing users, see "[AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/identifying-and-authorizing-users-for-github-apps#parameters)". For more information about creating a {% data variables.product.prodname_github_app %}, see "[AUTOTITLE](/apps/creating-github-apps/creating-github-apps/creating-a-github-app)." +For more information about generating user access tokens, see "[AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/generating-a-user-access-token-for-a-github-app)". For more information about creating a {% data variables.product.prodname_github_app %}, see "[AUTOTITLE](/apps/creating-github-apps/creating-github-apps/creating-a-github-app)." diff --git a/content/apps/creating-github-apps/creating-github-apps/creating-a-github-app-using-url-parameters.md b/content/apps/creating-github-apps/creating-github-apps/creating-a-github-app-using-url-parameters.md index 0be25a9b68e8..7604d8c9dd03 100644 --- a/content/apps/creating-github-apps/creating-github-apps/creating-a-github-app-using-url-parameters.md +++ b/content/apps/creating-github-apps/creating-github-apps/creating-a-github-app-using-url-parameters.md @@ -40,7 +40,7 @@ The complete list of available query parameters, permissions, and events is list `name` | `string` | The name of the {% data variables.product.prodname_github_app %}. Give your app a clear and succinct name. Your app cannot have the same name as an existing GitHub user, unless it is your own user or organization name. A slugged version of your app's name will be shown in the user interface when your integration takes an action. `description` | `string` | A description of the {% data variables.product.prodname_github_app %}. `url` | `string` | The full URL of your {% data variables.product.prodname_github_app %}'s website homepage. -`callback_urls` | `array of strings` | A full URL to redirect to after someone authorizes an installation. You can provide up to 10 callback URLs. These URLs are used if your app needs to identify and authorize user-to-server requests. For example, `callback_urls[]=https://example.com&callback_urls[]=https://example-2.com`. +`callback_urls` | `array of strings` | A full URL to redirect to after someone authorizes an installation. You can provide up to 10 callback URLs. These URLs are used if your app needs to generate a user access token. For example, `callback_urls[]=https://example.com&callback_urls[]=https://example-2.com`. For more information, see "[AUTOTITLE](/apps/creating-github-apps/creating-github-apps/about-the-user-authorization-callback-url)." `request_oauth_on_install` | `boolean` | If your app authorizes users using the OAuth flow, you can set this option to `true` to allow people to authorize the app when they install it, saving a step. If you select this option, the `setup_url` becomes unavailable and users will be redirected to your `callback_url` after installing the app. `setup_url` | `string` | The full URL to redirect to after someone installs the {% data variables.product.prodname_github_app %} if the app requires additional setup after installation. `setup_on_update` | `boolean` | Set to `true` to redirect people to the setup URL when installations have been updated, for example, after repositories are added or removed. diff --git a/content/apps/creating-github-apps/creating-github-apps/creating-a-github-app.md b/content/apps/creating-github-apps/creating-github-apps/creating-a-github-app.md index 0e7b7cd1a00e..c222a9c7e121 100644 --- a/content/apps/creating-github-apps/creating-github-apps/creating-a-github-app.md +++ b/content/apps/creating-github-apps/creating-github-apps/creating-a-github-app.md @@ -41,7 +41,7 @@ You can create a {% data variables.product.prodname_github_app %} owned by your If your app does not need to act on behalf of a user (does not need to generate a user access token), this field will be ignored. If your app uses device flow instead of web application flow to generate a user access token, this field will be ignored. For more information about the callback URL, see "[AUTOTITLE](/apps/creating-github-apps/creating-github-apps/about-the-user-authorization-callback-url)." For more information about generating a user access token to act on behalf of a user, see "[AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-with-a-github-app-on-behalf-of-a-user)" and "[AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/generating-a-user-access-token-for-a-github-app)." -1. Optionally, to prevent user access tokens from expiring, deselect **Expire user authorization tokens**. {% data variables.product.company_short %} strongly recommends that you leave this option selected. For more information about refreshing expired tokens and the benefits of user access tokens that expire, see "[AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/refreshing-user-to-server-access-tokens)." If your app does not need to generate a user access token, this field will be ignored. +1. Optionally, to prevent user access tokens from expiring, deselect **Expire user authorization tokens**. {% data variables.product.company_short %} strongly recommends that you leave this option selected. For more information about refreshing expired tokens and the benefits of user access tokens that expire, see "[AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/refreshing-user-access-tokens)." If your app does not need to generate a user access token, this field will be ignored. 1. Optionally, to prompt users to authorize your app when they install it, select **Request user authorization (OAuth) during installation**. If a user authorizes your app, your app can generate a user access token in order make API requests on the user's behalf and attribute app activity to the user. For more information, see "[AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-with-a-github-app-on-behalf-of-a-user)" and "[AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/generating-a-user-access-token-for-a-github-app)." 1. Optionally, if you want to use device flow to generate a user access token, select **Enable Device Flow**. For more information, see "[AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/generating-a-user-access-token-for-a-github-app)." 1. Optionally, under "Setup URL", enter the URL to redirect users to after they install your app. If additional setup is required after installation, you can use this URL to tell users what steps to take after installation. diff --git a/content/apps/creating-github-apps/creating-github-apps/differences-between-github-apps-and-oauth-apps.md b/content/apps/creating-github-apps/creating-github-apps/differences-between-github-apps-and-oauth-apps.md index b6178e5f3713..ea471d53b94b 100644 --- a/content/apps/creating-github-apps/creating-github-apps/differences-between-github-apps-and-oauth-apps.md +++ b/content/apps/creating-github-apps/creating-github-apps/differences-between-github-apps-and-oauth-apps.md @@ -64,10 +64,10 @@ An _authorized_ OAuth App has access to all of the user's or organization owner' | ----- | ----------- | | A GitHub App can request an installation access token by using a private key with a JSON web token format out-of-band. | An OAuth app can exchange a request token for an access token after a redirect via a web request. | | An installation token identifies the app as the GitHub Apps bot, such as @jenkins-bot. | An access token identifies the app as the user who granted the token to the app, such as @octocat. | -| Installation tokens expire after a predefined amount of time (currently 1 hour). | OAuth tokens remain active until they're revoked by the customer. | -| {% data variables.product.prodname_github_apps %} installed on organizations or repositories are subject to rate limits for server-to-server requests. For more information, see "[AUTOTITLE](/apps/creating-github-apps/creating-github-apps/rate-limits-for-github-apps)." | OAuth tokens use the user's rate limit of {% ifversion fpt or ghec or ghes %}5,000{% elsif ghae %}15,000{% endif %} requests per hour. | +| Installation access tokens expire after a predefined amount of time (currently 1 hour). | OAuth tokens remain active until they're revoked by the customer. | +| {% data variables.product.prodname_github_apps %} installed on organizations or repositories are subject to rate limits that scale with the number of installations. For more information, see "[AUTOTITLE](/apps/creating-github-apps/creating-github-apps/rate-limits-for-github-apps)." | OAuth tokens use the user's rate limit of {% ifversion fpt or ghec or ghes %}5,000{% elsif ghae %}15,000{% endif %} requests per hour. | | Rate limit increases can be granted both at the GitHub Apps level (affecting all installations) and at the individual installation level. | Rate limit increases are granted per OAuth App. Every token granted to that OAuth App gets the increased limit. | -| {% data variables.product.prodname_github_apps %} can authenticate on behalf of the user, which is called a user-to-server request. The flow to authorize is the same as the OAuth App authorization flow. User-to-server tokens can expire and be renewed with a refresh token. For more information, see "[AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/refreshing-user-to-server-access-tokens)" and "[AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/identifying-and-authorizing-users-for-github-apps)." | The OAuth flow used by {% data variables.product.prodname_oauth_apps %} authorizes an {% data variables.product.prodname_oauth_app %} on behalf of the user. This is the same flow used in {% data variables.product.prodname_github_app %} user-to-server authorization. | +| {% data variables.product.prodname_github_apps %} can authenticate on behalf of the user. The flow to authorize is the same as the {% data variables.product.prodname_oauth_app %} authorization flow. User access tokens can expire and be renewed with a refresh token. For more information, see "[AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/refreshing-user-access-tokens)" and "[AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/identifying-and-authorizing-users-for-github-apps)." | The OAuth flow used by {% data variables.product.prodname_oauth_apps %} authorizes an {% data variables.product.prodname_oauth_app %} on behalf of the user. This is the same flow used to generate a {% data variables.product.prodname_github_app %} user access token. | ## Requesting permission levels for resources diff --git a/content/apps/creating-github-apps/guides/migrating-oauth-apps-to-github-apps.md b/content/apps/creating-github-apps/guides/migrating-oauth-apps-to-github-apps.md index c64fd122d3f2..8f43ac6ccd07 100644 --- a/content/apps/creating-github-apps/guides/migrating-oauth-apps-to-github-apps.md +++ b/content/apps/creating-github-apps/guides/migrating-oauth-apps-to-github-apps.md @@ -24,7 +24,7 @@ This article provides guidelines for existing integrators who are considering mi - [Short-lived tokens](/apps/creating-github-apps/creating-github-apps/differences-between-github-apps-and-oauth-apps#token-based-identification) provide a more secure authentication method over OAuth tokens. An OAuth token does not expire until the person who authorized the OAuth App revokes the token. GitHub Apps use tokens that expire quickly, creating a much smaller window of time for compromised tokens to be in use. - [Built-in, centralized webhooks](/apps/creating-github-apps/creating-github-apps/differences-between-github-apps-and-oauth-apps#webhooks) receive events for all repositories and organizations the app can access. Conversely, OAuth Apps require configuring a webhook for each repository and organization accessible to the user. - [Bot accounts](/apps/creating-github-apps/creating-github-apps/differences-between-github-apps-and-oauth-apps#machine-vs-bot-accounts) don't consume a {% data variables.product.product_name %} seat and remain installed even when the person who initially installed the app leaves the organization. -- Built-in support for OAuth is still available to GitHub Apps using [user-to-server endpoints](/apps/creating-github-apps/authenticating-with-a-github-app/identifying-and-authorizing-users-for-github-apps). +- Built-in support for OAuth is still available to GitHub Apps using [endpoints with a user access token](/apps/creating-github-apps/authenticating-with-a-github-app/identifying-and-authorizing-users-for-github-apps). - Dedicated [API rate limits](/apps/creating-github-apps/creating-github-apps/rate-limits-for-github-apps) for bot accounts scale with your integration. - Repository owners can [install GitHub Apps](/apps/creating-github-apps/creating-github-apps/differences-between-github-apps-and-oauth-apps#who-can-install-github-apps-and-authorize-oauth-apps) on organization repositories. If a GitHub App's configuration has permissions that request an organization's resources, the org owner must approve the installation. - Open Source community support is available through [Octokit libraries](/rest/overview/libraries) and other frameworks such as [Probot](https://probot.github.io/). @@ -47,7 +47,7 @@ These guidelines assume that you have a registered OAuth App{% ifversion fpt or ### Review the available API endpoints for GitHub Apps -While the majority of [REST API](/rest) endpoints and [GraphQL](/graphql) queries are available to GitHub Apps today, we are still in the process of enabling some endpoints. Review the [available REST endpoints](/rest/overview/endpoints-available-for-github-apps) to ensure that the endpoints you need are compatible with GitHub Apps. Note that some of the API endpoints enabled for GitHub Apps allow the app to act on behalf of the user. See "[AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/identifying-and-authorizing-users-for-github-apps#user-to-server-requests)" for a list of endpoints that allow a GitHub App to authenticate as a user. +While the majority of [REST API](/rest) endpoints and [GraphQL](/graphql) queries are available to GitHub Apps today, we are still in the process of enabling some endpoints. Review the [available REST endpoints](/rest/overview/endpoints-available-for-github-apps) to ensure that the endpoints you need are compatible with GitHub Apps. Note that some of the API endpoints enabled for GitHub Apps allow the app to act on behalf of the user. See "[AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-with-a-github-app-on-behalf-of-a-user)" for a list of endpoints that allow a GitHub App to authenticate as a user. We recommend reviewing the list of API endpoints you need as early as possible. Please let Support know if there is an endpoint you require that is not yet enabled for {% data variables.product.prodname_github_apps %}. @@ -74,8 +74,8 @@ After you've created a new GitHub App and selected its permissions, you can sele GitHub Apps primarily use a token-based authentication that expires after a short amount of time, providing more security than an OAuth token that does not expire. It’s important to understand the different methods of authentication available to you and when you need to use them: * A **JSON Web Token (JWT)** [authenticates as the GitHub App](/apps/creating-github-apps/authenticating-with-a-github-app/generating-a-json-web-token-jwt-for-a-github-app). For example, you can authenticate with a **JWT** to fetch application installation details or exchange the **JWT** for an **installation access token**. -* An **installation access token** [authenticates as a specific installation of your GitHub App](/apps/creating-github-apps/authenticating-with-a-github-app/generating-an-installation-access-token-for-a-github-app) (also called server-to-server requests). For example, you can authenticate with an **installation access token** to open an issue or provide feedback on a pull request. -* An **OAuth access token** can [authenticate as a user of your GitHub App](/apps/creating-github-apps/authenticating-with-a-github-app/identifying-and-authorizing-users-for-github-apps#identifying-users-on-your-site) (also called user-to-server requests). For example, you can use an OAuth access token to authenticate as a user when a GitHub App needs to verify a user’s identity or act on a user’s behalf. +* An **installation access token** [authenticates as a specific installation of your GitHub App](/apps/creating-github-apps/authenticating-with-a-github-app/generating-an-installation-access-token-for-a-github-app). For example, you can authenticate with an **installation access token** to open an issue or provide feedback on a pull request. +* An **user access token** can [authenticate as a user of your GitHub App](/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-with-a-github-app-on-behalf-of-a-user). For example, you can use an OAuth access token to authenticate as a user when a GitHub App needs to verify a user’s identity or act on a user’s behalf. The most common scenario is to authenticate as a specific installation using an **installation access token**. diff --git a/content/apps/maintaining-github-apps/editing-a-github-apps-permissions.md b/content/apps/maintaining-github-apps/editing-a-github-apps-permissions.md index baa9cf5983c0..dce5bbff964c 100644 --- a/content/apps/maintaining-github-apps/editing-a-github-apps-permissions.md +++ b/content/apps/maintaining-github-apps/editing-a-github-apps-permissions.md @@ -17,7 +17,7 @@ shortTitle: Edit permissions --- {% note %} -**Note:** Updated permissions won't take effect on an installation until the owner of the account or organization approves the changes. You can use the [InstallationEvent webhook](/webhooks-and-events/webhooks/webhook-events-and-payloads#installation) to find out when people accept new permissions for your app. One exception is [user-level permissions](/apps/creating-github-apps/authenticating-with-a-github-app/identifying-and-authorizing-users-for-github-apps#user-level-permissions), which don't require the account owner to approve permission changes. +**Note:** Updated permissions won't take effect on an installation until the owner of the account or organization approves the changes. You can use the [InstallationEvent webhook](/webhooks-and-events/webhooks/webhook-events-and-payloads#installation) to find out when people accept new permissions for your app. One exception is user-level permissions, which don't require the account owner to approve permission changes. {% endnote %} diff --git a/content/apps/maintaining-github-apps/installing-github-apps.md b/content/apps/maintaining-github-apps/installing-github-apps.md index a182132792e4..5f9a704d2d47 100644 --- a/content/apps/maintaining-github-apps/installing-github-apps.md +++ b/content/apps/maintaining-github-apps/installing-github-apps.md @@ -58,7 +58,7 @@ These steps assume you have [built a {% data variables.product.prodname_github_a You can simplify the authorization process by completing it during app installation. To do this, select **Request user authorization (OAuth) during installation** when creating or modifying your app in GitHub. See "[AUTOTITLE](/apps/creating-github-apps/creating-github-apps/creating-a-github-app)" to learn more. -Once someone has installed your app, you will need to get an access token for the user. See steps 2 and 3 in "[AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/identifying-and-authorizing-users-for-github-apps#identifying-users-on-your-site)" to learn more. +Once someone has installed your app, you will need to get an access token for the user. For more information, see "[AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/generating-a-user-access-token-for-a-github-app)." ## Preserving an application state during installation You can provide a `state` parameter in an app's installation URL to preserve the state of the application page and return people back to that state after they install, authenticate, or accept updates to your GitHub App. For example, you could use the `state` to correlate an installation to a user or account. diff --git a/content/apps/maintaining-github-apps/modifying-a-github-app.md b/content/apps/maintaining-github-apps/modifying-a-github-app.md index d8eed75209df..d1be70ac55d3 100644 --- a/content/apps/maintaining-github-apps/modifying-a-github-app.md +++ b/content/apps/maintaining-github-apps/modifying-a-github-app.md @@ -19,5 +19,5 @@ topics: {% data reusables.user-settings.github_apps %} {% data reusables.user-settings.modify_github_app %} 1. In "Basic information", modify the GitHub App information that you'd like to change.{% ifversion device-flow-is-opt-in %} -1. If your GitHub App will use the device flow to identify and authorize users, click **Enable device flow**. For more information about the device flow, see "[AUTOTITLE](/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps#device-flow)."{% endif %} +1. If your GitHub App will use the device flow to generate a user access token, click **Enable device flow**. For more information about device flow, see "[AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/generating-a-user-access-token-for-a-github-app)."{% endif %} 1. Click **Save changes**. diff --git a/content/apps/using-github-apps/authorizing-github-apps.md b/content/apps/using-github-apps/authorizing-github-apps.md index 76905ee5609a..74058d1c5fc5 100644 --- a/content/apps/using-github-apps/authorizing-github-apps.md +++ b/content/apps/using-github-apps/authorizing-github-apps.md @@ -30,7 +30,7 @@ During authorization, you'll be prompted to grant the {% data variables.product. The situations in which a {% data variables.product.prodname_github_app %} acts on your behalf vary according to the purpose of the {% data variables.product.prodname_github_app %} and the context in which it is being used. -For example, an integrated development environment (IDE) may use a {% data variables.product.prodname_github_app %} to interact on your behalf in order to push changes you have authored through the IDE back to repositories on {% data variables.product.prodname_dotcom %}. The {% data variables.product.prodname_github_app %} will achieve this through a [user-to-server request](/get-started/quickstart/github-glossary#user-to-server-request). +For example, an integrated development environment (IDE) may use a {% data variables.product.prodname_github_app %} to interact on your behalf in order to push changes you have authored through the IDE back to repositories on {% data variables.product.prodname_dotcom %}. When a {% data variables.product.prodname_github_app %} acts on your behalf in this way, this is identified on GitHub via a special icon that shows a small avatar for the {% data variables.product.prodname_github_app %} overlaid onto your own avatar, similar to the one shown below. diff --git a/content/authentication/connecting-to-github-with-ssh/managing-deploy-keys.md b/content/authentication/connecting-to-github-with-ssh/managing-deploy-keys.md index d29ff254f081..143cb3c6ffa8 100644 --- a/content/authentication/connecting-to-github-with-ssh/managing-deploy-keys.md +++ b/content/authentication/connecting-to-github-with-ssh/managing-deploy-keys.md @@ -119,25 +119,25 @@ You can then use the hostname's alias to interact with the repository using SSH, $ git clone git@{% ifversion fpt or ghec %}github.com{% else %}my-GHE-hostname.com{% endif %}-repo-1:OWNER/repo-1.git ``` -## Server-to-server tokens +## {% data variables.product.prodname_github_app %} installation access tokens -If your server needs to access repositories across one or more organizations, you can use a GitHub App to define the access you need, and then generate _tightly-scoped_, _server-to-server_ tokens from that GitHub App. The server-to-server tokens can be scoped to single or multiple repositories, and can have fine-grained permissions. For example, you can generate a token with read-only access to a repository's contents. +If your server needs to access repositories across one or more organizations, you can use a GitHub App to define the access you need, and then generate _tightly-scoped_, installation access tokens from that GitHub App. The installation access tokens can be scoped to single or multiple repositories, and can have fine-grained permissions. For example, you can generate a token with read-only access to a repository's contents. -Since GitHub Apps are a first class actor on {% data variables.product.product_name %}, the server-to-server tokens are decoupled from any GitHub user, which makes them comparable to "service tokens". Additionally, server-to-server tokens have dedicated rate limits that scale with the size of the organizations that they act upon. For more information, see [Rate limits for {% data variables.product.prodname_github_apps %}](/apps/creating-github-apps/creating-github-apps/rate-limits-for-github-apps). +Since GitHub Apps are a first class actor on {% data variables.product.product_name %}, the installation access tokens are decoupled from any GitHub user, which makes them comparable to "service tokens". Additionally, installation access tokens have dedicated rate limits that scale with the size of the organizations that they act upon. For more information, see [Rate limits for {% data variables.product.prodname_github_apps %}](/apps/creating-github-apps/creating-github-apps/rate-limits-for-github-apps). -### Pros of server-to-server tokens +### Pros of installation access tokens - Tightly-scoped tokens with well-defined permission sets and expiration times (1 hour, or less if revoked manually using the API). - Dedicated rate limits that grow with your organization. - Decoupled from GitHub user identities, so they do not consume any licensed seats. - Never granted a password, so cannot be directly signed in to. -### Cons of server-to-server tokens +### Cons of installation access tokens - Additional setup is needed to create the GitHub App. -- Server-to-server tokens expire after 1 hour, and so need to be re-generated, typically on-demand using code. +- Installation access tokens expire after 1 hour, and so need to be re-generated, typically on-demand using code. -### Set up server-to-server tokens +### Set up installation access tokens 1. Determine if your GitHub App should be public or private. If your GitHub App will only act on repositories within your organization, you likely want it private. 1. Determine the permissions your GitHub App requires, such as read-only access to repository contents. @@ -146,8 +146,10 @@ Since GitHub Apps are a first class actor on {% data variables.product.product_ 1. Generate and download your GitHub App's private key, and store this safely. For more information, see [Generating a private key](/apps/creating-github-apps/authenticating-with-a-github-app/managing-private-keys-for-github-apps). 1. Install your GitHub App on the repositories it needs to act upon, optionally you may install the GitHub App on all repositories in your organization. 1. Identify the `installation_id` that represents the connection between your GitHub App and the organization repositories it can access. Each GitHub App and organization pair have at most a single `installation_id`. You can identify this `installation_id` via [Get an organization installation for the authenticated app](/rest/apps#get-an-organization-installation-for-the-authenticated-app). This requires authenticating as a GitHub App using a JWT, for more information see [Authenticating as a GitHub App](/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-as-a-github-app). -1. Generate a server-to-server token using the corresponding REST API endpoint, [Create an installation access token for an app](/rest/apps#create-an-installation-access-token-for-an-app). This requires authenticating as a GitHub App using a JWT, for more information see [Authenticating as a GitHub App](/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-as-a-github-app), and [Authenticating as an installation](/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-as-a-github-app-installation). -1. Use this server-to-server token to interact with your repositories, either via the REST or GraphQL APIs, or via a Git client. +1. Generate an installation access token using the corresponding REST API endpoint, [Create an installation access token for an app](/rest/apps#create-an-installation-access-token-for-an-app). This requires authenticating as a GitHub App using a JWT, for more information see [Authenticating as a GitHub App](/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-as-a-github-app), and [Authenticating as an installation](/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-as-a-github-app-installation). +1. Use this installation access token to interact with your repositories, either via the REST or GraphQL APIs, or via a Git client. + +For more information, see "[AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/generating-an-installation-access-token-for-a-github-app)." ## Machine users diff --git a/content/authentication/keeping-your-account-and-data-secure/about-authentication-to-github.md b/content/authentication/keeping-your-account-and-data-secure/about-authentication-to-github.md index 0b3f610bb5b7..b073aefeef40 100644 --- a/content/authentication/keeping-your-account-and-data-secure/about-authentication-to-github.md +++ b/content/authentication/keeping-your-account-and-data-secure/about-authentication-to-github.md @@ -132,4 +132,4 @@ To use a {% data variables.product.pat_generic %} or SSH key to access resources | OAuth access token | `gho_` | "[AUTOTITLE](/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps)" | | User access token for a {% data variables.product.prodname_github_app %} | `ghu_` | "[AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/identifying-and-authorizing-users-for-github-apps)" | | Installation access token for a {% data variables.product.prodname_github_app %} | `ghs_` | "[AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-as-a-github-app-installation)" | -| Refresh token for a {% data variables.product.prodname_github_app %} | `ghr_` | "[AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/refreshing-user-to-server-access-tokens)" | +| Refresh token for a {% data variables.product.prodname_github_app %} | `ghr_` | "[AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/refreshing-user-access-tokens)" | diff --git a/content/authentication/keeping-your-account-and-data-secure/token-expiration-and-revocation.md b/content/authentication/keeping-your-account-and-data-secure/token-expiration-and-revocation.md index 671983249417..0321d8c25641 100644 --- a/content/authentication/keeping-your-account-and-data-secure/token-expiration-and-revocation.md +++ b/content/authentication/keeping-your-account-and-data-secure/token-expiration-and-revocation.md @@ -59,4 +59,4 @@ The owner of an {% data variables.product.prodname_oauth_app %} can revoke an ac ## User token revoked due to {% data variables.product.prodname_github_app %} configuration -User-to-server tokens created by a {% data variables.product.prodname_github_app %} will expire after eight hours by default. Owners of {% data variables.product.prodname_github_apps %} can optionally change the default expiration period for their user-to-server tokens, or configure the tokens to never expire. For more information about configuring your {% data variables.product.prodname_dotcom %} App's user-to-server tokens, see "[AUTOTITLE](/apps/maintaining-github-apps/activating-optional-features-for-apps)." +User access tokens created by a {% data variables.product.prodname_github_app %} will expire after eight hours by default. Owners of {% data variables.product.prodname_github_apps %} can optionally change the default expiration period for their user access tokens, or configure the tokens to never expire. For more information about configuring your {% data variables.product.prodname_dotcom %} App's user access tokens, see "[AUTOTITLE](/apps/maintaining-github-apps/activating-optional-features-for-apps)." diff --git a/content/get-started/exploring-integrations/about-integrations.md b/content/get-started/exploring-integrations/about-integrations.md index 675275f8200b..bef82195ab58 100644 --- a/content/get-started/exploring-integrations/about-integrations.md +++ b/content/get-started/exploring-integrations/about-integrations.md @@ -21,7 +21,7 @@ Integrations can be {% data variables.product.prodname_github_apps %}, {% data v For more information, see: - "[AUTOTITLE](/apps/creating-github-apps/creating-github-apps/differences-between-github-apps-and-oauth-apps)" - "[AUTOTITLE](/apps/creating-github-apps/creating-github-apps/about-apps)" -- "[AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/identifying-and-authorizing-users-for-github-apps#user-level-permissions)" +- "[AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-with-a-github-app-on-behalf-of-a-user)" - "[AUTOTITLE](/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps)" - "[AUTOTITLE](/apps/using-github-apps/authorizing-github-apps)" - "[AUTOTITLE](/apps/using-github-apps/reviewing-your-authorized-integrations)" diff --git a/content/graphql/reference/queries.md b/content/graphql/reference/queries.md index b6dd5ab65619..b6959a6f0100 100644 --- a/content/graphql/reference/queries.md +++ b/content/graphql/reference/queries.md @@ -22,7 +22,7 @@ For more information, see "[AUTOTITLE](/graphql/guides/forming-calls-with-graphq {% note %} -**Note:** For [user-to-server](/apps/creating-github-apps/authenticating-with-a-github-app/identifying-and-authorizing-users-for-github-apps#user-to-server-requests) {% data variables.product.prodname_github_app %} requests, you should use separate queries for issues and pull requests. For example, use the `is:issue` or `is:pull-request` filters and their equivalents. Using the `search` connection to return a combination of issues and pull requests in a single query will result in an empty set of nodes. +**Note:** For {% data variables.product.prodname_github_app %} requests made with user access tokens, you should use separate queries for issues and pull requests. For example, use the `is:issue` or `is:pull-request` filters and their equivalents. Using the `search` connection to return a combination of issues and pull requests in a single query will result in an empty set of nodes. {% endnote %} diff --git a/content/rest/quickstart.md b/content/rest/quickstart.md index 3822f7187cfe..9ef2b5e93c23 100644 --- a/content/rest/quickstart.md +++ b/content/rest/quickstart.md @@ -116,7 +116,7 @@ You can use Octokit.js to interact with the {% data variables.product.prodname_d {% data reusables.rest-api.quickstart-location-javascript-admonition %} -1. Create an access token. For example, create a {% data variables.product.pat_generic %} or a {% data variables.product.prodname_github_app %} user-to-server access token. For more information, see "[Creating a {% data variables.product.pat_generic %}](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)" or "[Identifying and authorizing users for GitHub Apps](/developers/apps/building-github-apps/identifying-and-authorizing-users-for-github-apps)." +1. Create an access token. For example, create a {% data variables.product.pat_generic %} or a {% data variables.product.prodname_github_app %} user access token. For more information, see "[Creating a {% data variables.product.pat_generic %}](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)" or "[Identifying and authorizing users for GitHub Apps](/developers/apps/building-github-apps/identifying-and-authorizing-users-for-github-apps)." {% warning %} @@ -279,7 +279,7 @@ If you are authenticating with a {% data variables.product.prodname_github_app % {% endnote %} 1. Install `curl` if it isn't already installed on your machine. To check if `curl` is installed, execute `curl --version` in the command line. If the output is information about the version of `curl`, it is installed. If you get a message similar to `command not found: curl`, you need to download and install `curl`. For more information, see [the curl project download page](https://curl.se/download.html). -1. Create an access token. For example, create a {% data variables.product.pat_generic %} or a {% data variables.product.prodname_github_app %} user-to-server access token. For more information, see "[Creating a {% data variables.product.pat_generic %}](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)" or "[Identifying and authorizing users for GitHub Apps](/developers/apps/building-github-apps/identifying-and-authorizing-users-for-github-apps)." +1. Create an access token. For example, create a {% data variables.product.pat_generic %} or a {% data variables.product.prodname_github_app %} user access token. For more information, see "[Creating a {% data variables.product.pat_generic %}](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)" or "[Identifying and authorizing users for GitHub Apps](/developers/apps/building-github-apps/identifying-and-authorizing-users-for-github-apps)." {% warning %} diff --git a/data/glossaries/external.yml b/data/glossaries/external.yml index d9cf3d364a5c..e2298478d83f 100644 --- a/data/glossaries/external.yml +++ b/data/glossaries/external.yml @@ -675,7 +675,7 @@ days. - term: server-to-server request description: >- - An API request used by an application that acts as a bot, independently of any particular user. For example, an application that runs on a scheduled basis and closes issues where there has been no activity for a long time. Applications that use this type of authentication don't use a licensed GitHub account so, in an enterprise with a billing plan that allows a certain number of licenses to be used, a server-to-server bot is not consuming one of your GitHub licenses. The token used in a server-to-server request is acquired programmatically, via [the GitHub API](/rest/apps#create-an-installation-access-token-for-an-app). See also, "[user-to-server request](#user-to-server-request)." + An API request used by an application that acts as a bot, independently of any particular user. For example, an application that runs on a scheduled basis and closes issues where there has been no activity for a long time. Applications that use this type of authentication don't use a licensed GitHub account so, in an enterprise with a billing plan that allows a certain number of licenses to be used, a server-to-server bot is not consuming one of your GitHub licenses. The token used in a server-to-server request is acquired programmatically, via the GitHub API. For more information, see "[AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-as-a-github-app-installation)." See also, "[user-to-server request](#user-to-server-request)." - term: service hook description: >- Also called "webhook." Webhooks provide a way for notifications to be @@ -764,7 +764,7 @@ description: A user's handle on GitHub. - term: user-to-server request description: >- - An API request used by an application that performs a task on behalf of a particular user. Where a task is carried out with user-to-server authentication it's shown on GitHub as having been done by a user via an application. For example, you might choose to create an issue from within a third-party application, and the application would do this on your behalf on GitHub. The scope of tasks an application can perform using a user-to-server request is restricted by both the app's and the user's permissions and access. The token used in a user-to-server request is acquired via OAuth. For more information, see "[AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/identifying-and-authorizing-users-for-github-apps)." See also, "[server-to-server request](#server-to-server-request)." + An API request used by an application that performs a task on behalf of a particular user. Where a task is carried out with user-to-server authentication it's shown on GitHub as having been done by a user via an application. For example, you might choose to create an issue from within a third-party application, and the application would do this on your behalf on GitHub. The scope of tasks an application can perform using a user-to-server request is restricted by both the app's and the user's permissions and access. The token used in a user-to-server request is acquired via OAuth. For more information, see "[AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-with-a-github-app-on-behalf-of-a-user)." See also, "[server-to-server request](#server-to-server-request)." - term: visible team description: A team that can be viewed and @mentioned by every organization member. - term: watch diff --git a/data/reusables/apps/expiring_user_authorization_tokens.md b/data/reusables/apps/expiring_user_authorization_tokens.md index dde1222b2e3f..ba1988d11148 100644 --- a/data/reusables/apps/expiring_user_authorization_tokens.md +++ b/data/reusables/apps/expiring_user_authorization_tokens.md @@ -1 +1 @@ -To keep user-to-server access tokens more secure, you can use access tokens that will expire after 8 hours, and a refresh token that can be exchanged for a new access token. For more information, see "[AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/refreshing-user-to-server-access-tokens)." +To keep user access tokens more secure, you can use access tokens that will expire after 8 hours, and a refresh token that can be exchanged for a new access token. For more information, see "[AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/refreshing-user-access-tokens)."