GitHub OAuth Authentication
Use GitHub OAuth to authenticate users with their GitHub accounts.Setup
1
Create OAuth App
Register an OAuth application in your GitHub Developer Settings:
- Application name: Loom (or your deployment name)
- Homepage URL:
https://your-domain.com - Authorization callback URL:
https://your-domain.com/auth/github/callback
2
Configure Environment
3
Initialize Client
OAuth Flow
- Callback
- User Info
Scopes
Default scopes:user:email- Read all email addresses (including private)read:user- Read user profile information
Response Types
GitHub App Integration
GitHub Apps provide fine-grained access to repositories with enhanced security and better rate limits than OAuth apps.Setup
1
Create GitHub App
Create a GitHub App in your organization or personal account:
- Go to Settings → Developer settings → GitHub Apps → New GitHub App
- Configure:
- Name: Loom
- Homepage URL:
https://your-domain.com - Webhook URL:
https://your-domain.com/webhooks/github - Webhook secret: Generate a random secret
- Set permissions:
- Repository contents: Read
- Repository metadata: Read
- Issues: Read & Write (if needed)
- Download the private key (
.pemfile)
2
Configure Application
Authentication
GitHub Apps use JWT-based authentication:Code Search
Search code across repositories the app has access to:See GitHub Code Search Documentation for complete query syntax.
Repository Introspection
Fetch repository metadata and file contents:Webhook Handling
Verify and process GitHub webhooks:Installation Management
Track which repositories the app is installed on:Rate Limiting
GitHub enforces rate limits for API requests: OAuth (per user):- 5,000 requests/hour for authenticated requests
- 60 requests/hour for unauthenticated requests
- 15,000 requests/hour (3x higher than OAuth)
- Shared across all users of the installation
Best Practices
Use GitHub Apps
Prefer GitHub Apps over OAuth Apps for repository access. They provide better rate limits, fine-grained permissions, and don’t depend on individual user tokens.
Cache Tokens
Installation tokens are valid for 1 hour. Cache them to avoid unnecessary JWT creation and token exchange calls.
Verify Webhooks
Always verify webhook signatures using HMAC-SHA256. Never trust unverified webhook payloads.
Use Stable IDs
Use
user.id (numeric) as the stable identifier, not user.login (can change). Store both for display purposes.Error Handling
API Reference
See the source for complete type definitions:- OAuth Client:
crates/loom-server-auth-github/src/lib.rs - GitHub App Client:
crates/loom-server-github-app/src/client.rs - Types:
crates/loom-server-github-app/src/types.rs - Webhook Verification:
crates/loom-server-github-app/src/webhook.rs
GitHub API documentation: https://docs.github.com/en/rest