Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From github-app
Manage GitHub App installation tokens in Claude Code sessions. Use when tokens expire, auth errors occur in long-running sessions, or when setting up GitHub App credentials for agent teams. <example>my github token expired</example> <example>refresh the github app token</example> <example>check token status</example> <example>set up github app authentication for this session</example>
npx claudepluginhub nsheaps/ai-mktpl --plugin github-appHow this skill is triggered — by the user, by Claude, or both
Slash command
/github-app:github-app-tokenThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
This skill covers managing GitHub App installation tokens in Claude Code sessions, including setup, refresh, troubleshooting, and agent team distribution.
Provides copy-paste ready GitHub CLI (gh) installation, authentication, and command usage. Prevents common mistakes like missing full paths or GITHUB_TOKEN prefix errors.
Guides usage of GitHub CLI (gh) for managing repositories, issues, PRs, releases, and gists. Includes recipes for efficient queries and automation.
Orchestrates GitHub REST v3 and GraphQL v4 API access, routing to resources for authentication, repos, issues/PRs, workflows, security, search, and more. Use for integrations and automation.
Share bugs, ideas, or general feedback.
This skill covers managing GitHub App installation tokens in Claude Code sessions, including setup, refresh, troubleshooting, and agent team distribution.
Session Start
│
├─ SessionStart Hook (github-token-init.sh)
│ ├─ Reads GITHUB_APP_ID, PRIVATE_KEY_PATH, INSTALLATION_ID
│ ├─ Generates JWT from PEM key
│ ├─ Exchanges JWT for installation token (1 hour validity)
│ ├─ Writes token to ~/.config/agent/github-token
│ ├─ Creates runtime env file (~/.config/agent/github-app-env)
│ ├─ Sources env file via CLAUDE_ENV_FILE
│ ├─ Configures git identity (bot user)
│ └─ Prints: app name, expiry time, env var names
│
└─ PreToolUse Hook (github-token-check.sh)
├─ Debounced: checks at most every 30 seconds
├─ For gh/git commands: synchronous check
│ ├─ Valid + >30min: silent allow
│ ├─ Valid + <30min: allow + background refresh
│ └─ Expired: synchronous refresh, then allow
├─ For other tools: async background check
├─ Retries up to 3x with exponential backoff
└─ 5-minute cooldown after all retries fail
~/.config/agent/github-token (permissions 600)https://github.com/settings/appsThe plugin supports multiple secret sources. Each value can be a literal, ${ENV_VAR}, or op://vault/item/field.
ref)Use ref to load all secrets from one source:
# In $CLAUDE_PROJECT_DIR/.claude/plugins.settings.yaml
github-app:
# 1Password item (uses op-exec from nsheaps/op-exec)
ref: "op://vault/github-app--repo--my-repo"
# Or an env file with KEY=VALUE pairs
# ref: "env-file://./.env.github-app"
Expected field names: GITHUB_APP_ID, GITHUB_APP_CLIENT_ID, GITHUB_APP_CLIENT_SECRET, GITHUB_APP_PRIVATE_KEY, GITHUB_INSTALLATION_ID.
github-app:
secrets:
github_app_id: "op://vault/item/GITHUB_APP_ID"
github_app_private_key: "op://vault/item/GITHUB_APP_PRIVATE_KEY"
github_installation_id: "${GITHUB_INSTALLATION_ID}"
export GITHUB_APP_ID="12345"
export GITHUB_APP_PRIVATE_KEY_PATH="~/.config/agent/github-app.pem"
export GITHUB_INSTALLATION_ID="67890"
The private key can be provided as:
private_key_path / GITHUB_APP_PRIVATE_KEY_PATH): PEM file on disksecrets.github_app_private_key / GITHUB_APP_PRIVATE_KEY): PEM content directly (e.g., from 1Password). Written to a secure temp file automatically.# Ensure correct permissions
chmod 600 ~/.config/agent/github-app.pem
# Verify the key
openssl rsa -in ~/.config/agent/github-app.pem -check -noout
Run the token status script directly:
~/.config/agent/github-app-env # source to get vars
$CLAUDE_PLUGIN_ROOT/bin/token-status.sh
Or check the metadata file:
cat ~/.config/agent/github-token.meta | jq .
$CLAUDE_PLUGIN_ROOT/bin/token-check.sh --sync
The plugin includes a git credential helper for seamless git push operations:
# Configure git to use the helper
git config --global credential.https://github.com.helper \
'!/path/to/plugins/github-app/bin/git-credential-github-app.sh'
This reads the token from the shared file, so git push always uses the latest token.
For agent teams (tmux panes), all agents share the same token file:
~/.config/agent/github-tokenMissing one or more required environment variables. Set all three:
GITHUB_APP_IDGITHUB_APP_PRIVATE_KEY_PATHGITHUB_INSTALLATION_IDThe private key path doesn't exist or isn't readable. Check the path and permissions.
The JWT is invalid. Common causes:
The installation ID is wrong or the App is no longer installed on the target account.
Check that the runtime env file exists and is being sourced:
cat ~/.config/agent/github-app-env
If missing, the SessionStart hook may have failed. Check stderr output from session start.
The plugin failed to refresh 3 times consecutively and is backing off for 5 minutes. Check:
To clear the cooldown manually:
rm ~/.config/agent/github-token.cooldown
Installation tokens inherit the App's configured permissions. If you get 403 errors:
github-auth skill (shared between both plugins) covers all auth methods