GitHub App mode

GitHub supports two connection modes in Wicket. The standard mode — your OAuth app, per-member user tokens — is covered in Connect a connector. This page covers GitHub App mode: connecting through a GitHub App installation instead of user OAuth.

Why GitHub App mode

	OAuth mode	GitHub App mode
Acts as	The member’s GitHub user	The app installation
Repo scope	Everything the user can access	Only the repositories selected at install time
Org control	User-level grant	Installed and approved by an org admin, visible in org settings
Entity freshness	Harvest on demand	GitHub webhooks keep harvested entities current automatically

Choose App mode when you want the org — not each individual — to define which repositories an agent can ever see, with GitHub’s own installation UI as the source of truth.

Set it up

1. Provision the app connection

   In the agent’s GitHub connector settings, choose GitHub App as the credential type and follow the install link Wicket generates.

2. Install and select repositories

   GitHub shows the standard app-installation screen. Pick All repositories or Only select repositories — this selection is the hard outer boundary; policies can narrow it further but never widen it.

3. Finish in Wicket

   The callback returns you to Wicket, which registers the installation against the agent. Installations are tracked per member, and the installation list (with repo selection) is visible in the connector settings, where it can also be removed.

Calling the proxy with installation tokens

App mode changes how the MCP client authenticates for GitHub. Instead of a member key alone, the client presents a GitHub App installation token (ghs_…) as the Bearer credential, plus the installation ID header:

Authorization: Bearer ghs_<installation-token>
x-github-installation-id: <installation-id>

Wicket validates the token against GitHub, resolves the registered installation, and applies the agent’s policies as usual. Installation tokens are GitHub-scoped: on the aggregator endpoint they can call github__* tools only.

Note

If you see the error GitHub App installation not registered — re-provision required (JSON-RPC -32001), the installation was removed or re-created on GitHub’s side. Re-run the provision flow from the connector settings.

Webhooks included

App installations deliver GitHub webhooks to Wicket automatically — repository changes, PR and issue updates, branch and release events flow in as they happen, keeping the harvested entities behind your resource conditions fresh without polling. See Harvesting & freshness.

Related

• Connect a connector — standard OAuth mode
• Connectors catalog — the GitHub tool tiers