GitHub App

Advantages

Security

GitHub Apps provide enhanced control and security compared to OAuth. Instead of broad scopes, GitHub Apps use granular permissions, giving administrators better control over what the app can access and perform:

• Granular permissions — GitHub Apps request only the permissions they need, unlike OAuth apps which rely on wider permission scopes.

• Repository-specific access — users or organization owners can choose which repositories the app can access, whereas OAuth apps gain access to all repositories available to the authorizing user.

• Short-lived tokens — GitHub Apps use tokens that expire quickly, reducing the risk of token misuse. In contrast, OAuth app tokens remain valid until explicitly revoked.

These features make GitHub Apps more suitable for organizations with strict security requirements, offering stronger protection against potential security risks.

Rate limit

GitHub Apps that use installation access tokens are allowed initially 5,000 requests per hour. This limit can increase under specific conditions:

• GitHub Enterprise Cloud organizations — installations associated with an Enterprise Cloud organization have a limit of 15,000 requests per hour.

• Scaling by repositories and users — for installations that are not a part of an Enterprise Cloud organization:

  • Organizations with more than 20 repositories receive an additional 50 requests per hour per repository.

  • Organizations with more than 20 users receive an additional 50 requests per hour per user.

  • The total limit is capped at 12,500 requests per hour.

The above rules help ensure fair usage while maintaining system stability and security.

Installation requirements

GitHub Apps can be installed in several different ways:

• By personal accounts — any user can install the app on their personal account.

• By organization accounts — organization owners can install the app for the entire organization.

• Repository-level installations within organizations — repository administrators can install the app for repositories they manage; provided the app does not request organization-wide permissions or require repository administration access.

• Restricted installation — organization owners can limit installations to outside collaborators who are repository admins.

• Approval for non-admin members — if a member who is neither an organization owner nor a repository admin selects an organization during the app installation process, GitHub will notify the organization owner to approve the installation rather than installing it directly.

Installation process overview

After installing a GitHub App, you may also need to authorize it. Installation allows you to specify which repositories the app can access and grants it permission to use certain organizational resources, with the app showing the permissions being approved.

Authorization grants the app access to your GitHub account according to the requested permissions and allows it to act on your behalf.

You can install a GitHub App without authorizing it, or authorize it without installing, providing flexibility and control over app access and functionality.

Throttling prevention

Throttling limits the number of API calls or operations within a given time window to prevent overuse of resources and ensure server stability. If throttling is exceeded, further requests from the client are temporarily restricted, which may extend backup times.

GitProtect can use up to 10 additional GitHub Apps to increase request limit and reduce throttling impact. You can learn more about throttling and throttling prevention methods in RISK & COMPLIANCE MANAGEMENT section.