This guide walks through creating and configuring a GitHub App for Redstring that provides persistent authentication without token expiration issues.
- Go to GitHub.com → Settings → Developer settings → GitHub Apps
- Click "New GitHub App"
- GitHub App name:
Redstring Semantic Sync - Description:
Sync Redstring cognitive graphs with GitHub repositories for persistent knowledge management - Homepage URL:
https://redstring.io - User authorization callback URL:
https://redstring.io/github-app/callback
- Webhook URL:
https://redstring.io/api/github/app/webhook - Webhook secret: Generate a random secret and save it
- SSL verification: ✅ Enable
Set these permissions for the app:
- Contents: Read & Write (for semantic files)
- Metadata: Read (for repository info)
- Pull requests: Read (optional, for future features)
- Email addresses: No access (not needed)
- Plan: No access (not needed)
- No user permissions needed (we only access repositories)
- ✅ Installation
- ✅ Installation repositories
- ✅ Push (optional, for future auto-sync)
- After creating the app, scroll to "Private keys"
- Click "Generate a private key"
- Download the
.pemfile - Store it securely (you'll need it for deployment)
Save these values for environment configuration:
- App ID (shown at top of app page)
- Client ID (in "About" section)
- Client Secret (generate if not shown)
- Private Key (the
.pemfile contents)
Add these to your deployment environment:
# GitHub App Configuration
GITHUB_APP_ID="123456"
GITHUB_APP_CLIENT_ID="Iv1.abc123def456"
GITHUB_APP_CLIENT_SECRET="your_client_secret_here"
GITHUB_APP_PRIVATE_KEY="-----BEGIN RSA PRIVATE KEY-----
...your private key content...
-----END RSA PRIVATE KEY-----"For production deployment, store sensitive values in Secret Manager:
# Store GitHub App secrets
echo "Iv1.abc123def456" | gcloud secrets create github-app-client-id --data-file=-
echo "your_client_secret_here" | gcloud secrets create github-app-client-secret --data-file=-
echo "your_webhook_secret_here" | gcloud secrets create github-app-webhook-secret --data-file=-
# Store private key (multi-line)
gcloud secrets create github-app-private-key --data-file=path/to/your-app.2024-01-01.private-key.pemAdd GitHub App secret mounting:
# Deploy to Cloud Run with GitHub App secrets
gcloud run deploy $SERVICE_NAME \
--image gcr.io/$PROJECT_ID/redstring-oauth:latest \
--region $REGION \
--platform managed \
--allow-unauthenticated \
--port 3002 \
--memory 512Mi \
--cpu 0.5 \
--concurrency 50 \
--max-instances 5 \
--set-env-vars "NODE_ENV=production,OAUTH_PORT=3002" \
--set-secrets "GITHUB_CLIENT_ID=github-client-id:latest,GITHUB_CLIENT_SECRET=github-client-secret:latest,GITHUB_APP_ID=github-app-id:latest,GITHUB_APP_CLIENT_ID=github-app-client-id:latest,GITHUB_APP_CLIENT_SECRET=github-app-client-secret:latest,GITHUB_APP_PRIVATE_KEY=github-app-private-key:latest"Add JWT dependency for GitHub App authentication:
# Add to package.json dependencies or install in Dockerfile
RUN npm install jsonwebtoken @octokit/restUpdate your Vite config to expose GitHub App settings:
// vite.config.js
export default defineConfig({
// ... other config
define: {
'import.meta.env.VITE_GITHUB_APP_ID': JSON.stringify(process.env.VITE_GITHUB_APP_ID),
'VITE_GITHUB_APP_CLIENT_ID': JSON.stringify(process.env.VITE_GITHUB_APP_CLIENT_ID)
}
});The component is already set up to handle GitHub App authentication through the new service.
- Set environment variables locally
- Start the OAuth server:
node oauth-server.js - Test app installation flow
- Verify webhook delivery
- Deploy with GitHub App configuration
- Test installation on a test repository
- Verify persistent authentication works
- Check webhook logs for proper event handling
Users will visit: https://github.com/apps/redstring-semantic-sync/installations/new
- User selects organization/account
- Selects repositories to connect
- Grants permissions
- Redirects to Redstring with installation ID
- Redstring stores installation and shows repository selector
- User selects specific repository for sync
- Connection established with persistent authentication
Monitor installations through:
- GitHub App dashboard
- Webhook logs in Cloud Run
- Application metrics
- Installation tokens auto-refresh (1 hour expiry)
- No user re-authentication required
- Monitor API rate limits (5000/hour per installation)
- Handle suspended installations
- Manage permission changes
- Deal with uninstalled apps gracefully
| Feature | OAuth Token | GitHub App |
|---|---|---|
| Expiration | Can expire | Never expires |
| Rate Limit | 1000/hour | 5000/hour |
| Permissions | User-wide | Repository-specific |
| Re-auth Required | Yes | No |
| User Password Change | Breaks auth | Unaffected |
| Revocation | User can revoke | User can uninstall |
| API Access | As user | As app installation |
- Private Key Security: Store private key securely in Secret Manager
- Webhook Verification: Implement webhook signature verification
- Token Caching: Cache installation tokens securely with expiry
- Audit Logging: Log all GitHub App operations for security
- Minimal Permissions: Only request needed repository permissions
- JWT Generation Errors: Check private key format and App ID
- Installation Not Found: Verify installation ID and app permissions
- API Rate Limits: Monitor usage and implement proper caching
- Webhook Delivery: Check URL accessibility and SSL certificates
- Check Cloud Run logs for detailed error messages
- Use GitHub App dashboard to see installation status
- Test webhook delivery manually in GitHub settings
- Verify environment variables are properly set
- Create the GitHub App following steps above
- Deploy with new configuration including all environment variables
- Test installation flow with a test repository
- Monitor for issues and iterate as needed
- Migrate existing users from OAuth to GitHub App authentication
This GitHub App approach will provide the reliable, persistent authentication that Redstring needs for seamless semantic web integration! 🚀