Nine Parsecs from Milwaukee

    TypeScript icon, indicating that this package has built-in type declarations

    1.2.6 • Public • Published


    Octokit authentication strategy that supports token, app (JWT), and event-based installation authentication

    @latest Build Status

    octokit-auth-probot combines the authentication strategies:

    1. @octokit/auth-app
    2. @octokit/auth-token
    3. @octokit/auth-unauthenticated

    It adds a new authentication type: "event-octokit", which allows to retrieve an Octokit instance which is correctly authenticated based on the Octokit constructors authentication (app or token) as well as the event, which either results in an installation access token authentication or, in case the event implies that the installation's access has been revoked, in an unauthenticated Octokit instance.

    octokit-auth-probot is not meant to be used by itself, but in conjuction with @octokit/core or a compatible library.



    Load octokit-auth-probot directly from

    <script type="module">
      import { Octokit } from "";
      import { createProbotAuth } from "";

    Install with npm install octokit-auth-probot

    const { Octokit } = require("@octokit/core");
    const { createProbotAuth } = require("octokit-auth-probot");
    // or:
    // import { Octokit } from "@octokit/core";
    // import { createProbotAuth } from "octokit-auth-probot";

    ⚠️ For usage in browsers: The private keys provided by GitHub are in PKCS#1 format, but the WebCrypto API only supports PKCS#8. You need to convert it first:

    openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in private-key.pem -out private-key-pkcs8.key

    No conversation is needed in Node, both PKCS#1 and PKCS#8 format will work.

    const { Octokit } = require("@octokit/core");
    const { createProbotAuth } = require("octokit-auth-probot");
    const ProbotOctokit = Octokit.defaults({
      authStrategy: createProbotAuth,

    Token authentication

    const octokit = new ProbotOctokit({
      auth: {
        token: "secret 123",

    Note: when using octokit.auth({ type: "installation", factory }), factory(options) will be called with options.octokit, options.octokitOptions, plus any other properties that have been passed to octokit.auth() besides type and factory. In all other cases, octokit.auth() will resolve with an oauth authentication object, no matter the passed options.

    App authentication

    const octokit = new ProbotOctokit({
      auth: {
        appId: 123,
        privateKey: `----BEGIN RSA PRIVATE KEY----- ...`,


    const octokit = new ProbotOctokit();

    This is useful if you need to send a request without access to authentication. Probot's use case here is Create a GitHub App from a manifest (POST /app-manifests/{code}/conversions), which is used to register a GitHub app and retrieve the credentials in return.

    Get authenticated octokit instance based on event

    const eventOctokit = await octokit.auth({
      type: "event-octokit",
      event: { name: "push", payload: { installation: { id: 123 } } }, // event payload

    eventOctokit is now authenticate in one of three ways

    1. If octokit was authenticated using a token, eventOctokit is authenticated with the same token. In fact, eventOctokit is octokit
    2. If event name is installation and payload.action is either suspend or deleted, then eventOctokit is unauthenticated using @octokit/auth-unauthenticated
    3. Otherwise eventOctokit is authenticate as installation based on




    npm i octokit-auth-probot

    DownloadsWeekly Downloads






    Unpacked Size

    26.7 kB

    Total Files


    Last publish


    • probotbot