Skip to main content
Loom integrates with GitHub at multiple levels: OAuth authentication for user login, GitHub App for repository access, and API clients for code search and introspection.

GitHub OAuth Authentication

Use GitHub OAuth to authenticate users with their GitHub accounts.

Setup

1

Create OAuth App

Register an OAuth application in your GitHub Developer Settings:
  • Application name: Loom (or your deployment name)
  • Homepage URL: https://your-domain.com
  • Authorization callback URL: https://your-domain.com/auth/github/callback
2

Configure Environment

3

Initialize Client

OAuth Flow

Generate the authorization URL and redirect the user:
URL format:

Scopes

Default scopes:
  • user:email - Read all email addresses (including private)
  • read:user - Read user profile information
Optional scopes:
Always use verified emails. Only trust emails where verified: true. Unverified emails can be set by anyone and should not be used for authentication.

Response Types

GitHub App Integration

GitHub Apps provide fine-grained access to repositories with enhanced security and better rate limits than OAuth apps.

Setup

1

Create GitHub App

Create a GitHub App in your organization or personal account:
  1. Go to Settings → Developer settings → GitHub Apps → New GitHub App
  2. Configure:
    • Name: Loom
    • Homepage URL: https://your-domain.com
    • Webhook URL: https://your-domain.com/webhooks/github
    • Webhook secret: Generate a random secret
  3. Set permissions:
    • Repository contents: Read
    • Repository metadata: Read
    • Issues: Read & Write (if needed)
  4. Download the private key (.pem file)
2

Configure Application

Or provide the private key directly:

Authentication

GitHub Apps use JWT-based authentication:
JWT generation:
Search code across repositories the app has access to:
Search query syntax:
See GitHub Code Search Documentation for complete query syntax.

Repository Introspection

Fetch repository metadata and file contents:

Webhook Handling

Verify and process GitHub webhooks:
Signature verification:

Installation Management

Track which repositories the app is installed on:

Rate Limiting

GitHub enforces rate limits for API requests: OAuth (per user):
  • 5,000 requests/hour for authenticated requests
  • 60 requests/hour for unauthenticated requests
GitHub App (per installation):
  • 15,000 requests/hour (3x higher than OAuth)
  • Shared across all users of the installation
Check rate limit:
GitHub returns 403 Forbidden when rate limited, not 429. Check the X-RateLimit-Remaining header proactively to avoid hitting limits.

Best Practices

Use GitHub Apps

Prefer GitHub Apps over OAuth Apps for repository access. They provide better rate limits, fine-grained permissions, and don’t depend on individual user tokens.

Cache Tokens

Installation tokens are valid for 1 hour. Cache them to avoid unnecessary JWT creation and token exchange calls.

Verify Webhooks

Always verify webhook signatures using HMAC-SHA256. Never trust unverified webhook payloads.

Use Stable IDs

Use user.id (numeric) as the stable identifier, not user.login (can change). Store both for display purposes.

Error Handling

API Reference

See the source for complete type definitions:
  • OAuth Client: crates/loom-server-auth-github/src/lib.rs
  • GitHub App Client: crates/loom-server-github-app/src/client.rs
  • Types: crates/loom-server-github-app/src/types.rs
  • Webhook Verification: crates/loom-server-github-app/src/webhook.rs
GitHub API documentation: https://docs.github.com/en/rest