Universal-github-app-jwt NPM

universal-github-app-jwt

Calculate GitHub App bearer tokens for Node, Deno, and modern browsers

Usage

Install with npm install universal-github-app-jwt

import githubAppJwt from "universal-github-app-jwt";

Load universal-github-app-jwt directly from esm.sh, including types.

import githubAppJwt from "https://esm.sh/universal-github-app-jwt";

const { token, appId, expiration } = await githubAppJwt({
  id: APP_ID,
  privateKey: PRIVATE_KEY,
});

The retrieved token can now be used in Authorization request header, e.g. with @octokit/request:

request("GET /app", {
  headers: {
    authorization: `bearer ${token}`,
  },
});

For a complete implementation of GitHub App authentication strategies, see @octokit/auth-app.js.

`githubAppJwt(options)`

githubAppJwt(options) resolves with an object with the following keys

About Private Key formats

When downloading a private-key.pem file from GitHub, the format is in PKCS#1 format. Unfortunately, the WebCrypto API only supports PKCS#8.

If you use 1Password to store a private key as an SSH key, it will be transformed to the OpenSSH format, which is also not supported by WebCrypto.

You can identify the format based on the the first line

First Line	Format
`-----BEGIN RSA PRIVATE KEY-----`	PKCS#1
`-----BEGIN PRIVATE KEY-----`	PKCS#8
`-----BEGIN OPENSSH PRIVATE KEY-----`	OpenSSH

Converting `PKCS#1` to `PKCS#8`

Using an Online Private Key Converter

Convert quickly using the Web interface at https://private-key-converter.vercel.app

Using Node.js

If you use Node.js, you can convert the format before passing it to universal-github-app-jwt:

import crypto from "node:crypto";
import githubAppJwt from "universal-github-app-jwt";

const privateKeyPkcs8 = crypto
  .createPrivateKey(process.env.PRIVATE_KEY)
  .export({
    type: "pkcs8",
    format: "pem",
  });

const { token, appId, expiration } = await githubAppJwt({
  id: process.env.APP_ID,
  privateKey: privateKeyPkcs8,
});

Using OpenSSL

Convert the format using openssl before passing it to your app.

openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in private-key.pem -out private-key-pkcs8.key

Converting `OpenSSH` to `PKCS#8`

cp private-key.pem private-key-pkcs8.key && ssh-keygen -m PKCS8  -N "" -f private-key-pkcs8.key

I'm looking for help to create a minimal OpenSSH to PKCS convert library that I can recommend people to use before passing the private key to githubAppJwt. Please create an issue if you'd like to help.