Organizations can choose which OAuth Apps have access to their repositories and other resources by enabling OAuth App access restrictions.

When OAuth App access restrictions are enabled, organization members cannot authorize OAuth App access to organization resources. Organization members can request owner approval for OAuth Apps they'd like to use, and organization owners receive a notification of pending requests.

When you create a new organization, OAuth App access restrictions are enabled by default. Organization owners can disable OAuth App access restrictions at any time.

Tip: When an organization has not set up OAuth App access restrictions, any OAuth App authorized by an organization member can also access the organization's private resources.

Setting up OAuth App access restrictions

When an organization owner sets up OAuth App acess restrictions for the first time:

  • Applications that are owned by the organization are automatically given access to the organization's resources.
  • OAuth Apps immediately lose access to the organization's resources.
  • SSH keys created before February 2014 immediately lose access to the organization's resources (this includes user and deploy keys).
  • SSH keys created by OAuth App during or after February 2014 immediately lose access to the organization's resources.
  • Hook deliveries from private organization repositories will no longer be sent to unapproved OAuth Apps.
  • API access to private organization resources is not available for unapproved OAuth Apps. In addition, there is no create, update, or delete access to public organization resources.
  • Hooks created by users and hooks created before May 2014 will not be affected.
  • Private forks of organization-owned repositories are subject to the organization's access restrictions.

Resolving SSH access failures

When an SSH key created before February 2014 loses access to an organization with OAuth App access restrictions enabled, subsequent SSH access attempts will fail. Users will encounter an error message directing them to a URL where they can approve the key or upload a trusted key in its place.

Webhooks

When an OAuth App is granted access to the organization after restrictions are enabled, any pre-existing webhooks created by that OAuth App will resume dispatching.

When an organization removes access from a previously-approved OAuth App, any pre-existing webhooks created by that application will no longer be dispatched (these hooks will be disabled, but not deleted).

Re-enabling access restrictions

If an organization disables OAuth App access application restrictions, and later re-enables them, previously approved OAuth App are automatically granted access to the organization's resources.

Further reading