# Technical Brief: Why We Use GitHub Apps Over OAuth We use the **GitHub App** framework (the industry-standard recommended by GitHub and Gearset) because it offers a stronger security architecture than traditional OAuth. Unlike OAuth, which grants broad, persistent "act-as-user" permissions, GitHub Apps use **fine-grained permissions** and **short-lived tokens** (expiring every hour) to ensure the Principle of Least Privilege. Furthermore, GitHub Apps allow for **repository-level scoping**, ensuring the tool can only access specific authorized repositories rather than a user’s entire GitHub account. #### **Platform Documentation & Recommendations** * **GitHub Official:** [GitHub Apps are the recommended way to integrate](https://docs.github.com/en/apps/creating-github-apps/about-creating-github-apps/deciding-when-to-build-a-github-app). Examples of other products: * **Gearset:** [Recommends its GitHub App](https://docs.gearset.com/en/articles/9965863-integrating-with-github-or-github-enterprise-through-a-github-app) to eliminate broad OAuth scopes. They *have* an alternative OAuth-based connection method, but do not recommend it. * **Copado:** [Utilizes an OAuth2-based approach](https://docs.copado.com/articles/copado-ci-cd-publication/git-repository-overview) non-specific to GitHub to secure credentials within backend secrets stored in Copado systems. | **Security Feature** | **GitHub App (Recommended)** | **OAuth App (Alternative)** | | -------------------------- | -------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------ | | **Permission Granularity** | **Fine-grained:** Separate "Read" vs "Write" for code, PRs, and metadata. | **Broad Scopes:** `repo` scope grants full control over all code and settings. | | **Credential Lifetime** | **1 Hour:** Tokens are temporary and auto-rotated. | **Indefinite:** Tokens live forever until manually deleted. | | **Access Control** | **Repository-level:** You choose exactly which repos are visible. | **Account-level:** Accesses everything the user can see. | | **Traceability** | **Bot-Specific:** Actions are clearly marked as the integration (co-authored with the user). | **User-Impersonation:** Actions appear as if the user performed them. | | **Service Stability** | **Independent:** Works even if the setup user leaves the company. | **User-Dependent:** Breaks if the authorizing user’s account is deactivated. | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.sre.ai/technical-brief-why-we-use-github-apps-over-oauth.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.