About OAuth App access restrictions

Organizations can choose which OAuth Apps have access to their repositories and other resources by enabling OAuth App access restrictions.

When OAuth App access restrictions are enabled, organization members cannot authorize OAuth App access to organization resources. Organization members can request owner approval for OAuth Apps they'd like to use, and organization owners receive a notification of pending requests.

When you create a new organization, OAuth App access restrictions are enabled by default. Organization owners can disable OAuth App access restrictions at any time.

Tip: When an organization has not set up OAuth App access restrictions, any OAuth App authorized by an organization member can also access the organization's private resources.

Setting up OAuth App access restrictions

When an organization owner sets up OAuth App access restrictions for the first time:

Resolving SSH access failures

When an SSH key created before February 2014 loses access to an organization with OAuth App access restrictions enabled, subsequent SSH access attempts will fail. Users will encounter an error message directing them to a URL where they can approve the key or upload a trusted key in its place.


When an OAuth App is granted access to the organization after restrictions are enabled, any pre-existing webhooks created by that OAuth App will resume dispatching.

When an organization removes access from a previously-approved OAuth App, any pre-existing webhooks created by that application will no longer be dispatched (these hooks will be disabled, but not deleted).

Re-enabling access restrictions

If an organization disables OAuth App access application restrictions, and later re-enables them, previously approved OAuth App are automatically granted access to the organization's resources.

Further reading

Ask a human

Can't find what you're looking for?

Contact us