Organizations can choose which third-party applications have access to their repositories and other resources by enabling third-party application restrictions.
When third-party application restrictions are enabled, organization members can request owner approval for third-party applications they'd like to use. Organization owners receive a notification of the pending request. Owners can also view which third-party applications currently have access to private resources, as well as disable access for previously approved applications.
When you create a new organization, third-party applications are restricted by default. Organization admins can disable third-party application restrictions at any time.
Note: When an organization has not set up third-party application restrictions, any third-party application authorized by an organization member can also access the organization's private resources.
Setting up third-party application restrictions
When an organization owner sets up third-party application restrictions for the first time:
- Applications that are owned by the organization are automatically given access to the organization's resources.
- Third-party applications immediately lose access to the organization's resources.
- SSH keys created before February 2014 immediately lose access to the organization's resources (this includes user and deploy keys).
- SSH keys created by applications during or after February 2014 immediately lose access to the organization's resources.
- Hook deliveries from private organization repositories will no longer be sent to unapproved applications.
- API access to private organization resources is not available for unapproved applications. In addition, there is no create, update, or delete access to public organization resources.
- Hooks created by users and hooks created before May 2014 will not be affected.
- Private forks of organization-owned repositories are subject to the organization's access restrictions.
Resolving SSH access failures
When an SSH key created before February 2014 loses access to an organization with third-party application restrictions enabled, subsequent SSH access attempts will fail. Users will encounter an error message directing them to a URL where they can approve the key or upload a trusted key in its place.
When an application is granted access to the organization after restrictions are enabled, any pre-existing webhooks created by that application will resume dispatching.
When an organization removes access from a previously-approved application, any pre-existing webhooks created by that application will no longer be dispatched (these hooks will be disabled, but not deleted).
Re-enabling access restrictions
If an organization disables third-party application restrictions, and later re-enables them, previously approved applications will automatically be granted access to the organization's resources.
- "Enabling third party application restrictions for your organization"
- "Approving third-party applications for your organization"
- "Denying access to a previously approved application for your organization"
- "Disabling third-party application restrictions for your organization"
- "Requesting organization approval for your authorized applications"
- "Requesting organization approval for third-party applications"
- "Connecting with third-party applications"