universal-github-app-jwt v2.1.0
universal-github-app-jwt
Calculate GitHub App bearer tokens for Node, Deno, and modern browsers
Usage
Install with npm install universal-github-app-jwt
import githubAppJwt from "universal-github-app-jwt";
Load universal-github-app-jwt directly from esm.sh, including types.
import githubAppJwt from "https://esm.sh/universal-github-app-jwt";
const { token, appId, expiration } = await githubAppJwt({
id: APP_ID,
privateKey: PRIVATE_KEY,
});
The retrieved token
can now be used in Authorization request header, e.g. with @octokit/request
:
request("GET /app", {
headers: {
authorization: `bearer ${token}`,
},
});
For a complete implementation of GitHub App authentication strategies, see @octokit/auth-app.js
.
githubAppJwt(options)
githubAppJwt(options)
resolves with an object with the following keys
About Private Key formats
When downloading a private-key.pem
file from GitHub, the format is in PKCS#1
format. Unfortunately, the WebCrypto API only supports PKCS#8
.
If you use 1Password to store a private key as an SSH key, it will be transformed to the OpenSSH
format, which is also not supported by WebCrypto.
You can identify the format based on the the first line
First Line | Format |
---|---|
-----BEGIN RSA PRIVATE KEY----- | PKCS#1 |
-----BEGIN PRIVATE KEY----- | PKCS#8 |
-----BEGIN OPENSSH PRIVATE KEY----- | OpenSSH |
Converting PKCS#1
to PKCS#8
Using an Online Private Key Converter
Convert quickly using the Web interface at https://private-key-converter.vercel.app
Using Node.js
If you use Node.js, you can convert the format before passing it to universal-github-app-jwt
:
import crypto from "node:crypto";
import githubAppJwt from "universal-github-app-jwt";
const privateKeyPkcs8 = crypto
.createPrivateKey(process.env.PRIVATE_KEY)
.export({
type: "pkcs8",
format: "pem",
});
const { token, appId, expiration } = await githubAppJwt({
id: process.env.APP_ID,
privateKey: privateKeyPkcs8,
});
Using OpenSSL
Convert the format using openssl
before passing it to your app.
openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in private-key.pem -out private-key-pkcs8.key
Converting OpenSSH
to PKCS#8
cp private-key.pem private-key-pkcs8.key && ssh-keygen -m PKCS8 -N "" -f private-key-pkcs8.key
I'm looking for help to create a minimal OpenSSH
to PKCS
convert library that I can recommend people to use before passing the private key to githubAppJwt
. Please create an issue if you'd like to help.