Organizations can choose which third-party applications have access to their repositories and other resources by enabling third-party application restrictions.

When third-party application restrictions are enabled, organization members can request owner approval for third-party applications they'd like to use. Organization owners receive a notification of the pending request. Owners can also view which third-party applications currently have access to private resources, as well as disable access for previously approved applications.

When you create a new organization, third-party applications are restricted by default. Organization admins can disable third-party application restrictions at any time.

Note: When an organization has not set up third-party application restrictions, any third-party application authorized by an organization member can also access the organization's private resources.

Setting up third-party application restrictions

When an organization owner sets up third-party application restrictions for the first time:

  • Applications that are owned by the organization are automatically given access to the organization's resources.
  • Third-party applications immediately lose access to the organization's resources.
  • SSH keys created before February 2014 immediately lose access to the organization's resources (this includes user and deploy keys).
  • SSH keys created by applications during or after February 2014 immediately lose access to the organization's resources.
  • Hook deliveries from private organization repositories will no longer be sent to unapproved applications.
  • API access to private organization resources is not available for unapproved applications. In addition, there is no create, update, or delete access to public organization resources.
  • Hooks created by users and hooks created before May 2014 will not be affected.
  • Private forks of organization-owned repositories are subject to the organization's access restrictions.

Resolving SSH access failures

When an SSH key created before February 2014 loses access to an organization with third-party application restrictions enabled, subsequent SSH access attempts will fail. Users will encounter an error message directing them to a URL where they can approve the key or upload a trusted key in its place.


When an application is granted access to the organization after restrictions are enabled, any pre-existing webhooks created by that application will resume dispatching.

When an organization removes access from a previously-approved application, any pre-existing webhooks created by that application will no longer be dispatched (these hooks will be disabled, but not deleted).

Re-enabling access restrictions

If an organization disables third-party application restrictions, and later re-enables them, previously approved applications will automatically be granted access to the organization's resources.

Further reading