Installing GitHub creates a resource for the upstream API and the OAuth provider Keycard needs to mint tokens for it. Your app calls Keycard’s token exchange, gets back a token scoped to GitHub, and uses it to call the API directly. Every exchange is governed by your zone’s identity provider, access policies, and audit log - the OAuth client secret stays inside Keycard.
Install
Section titled “Install”Add GitHub to your zone so your app can exchange tokens for it.
Step 1 - Start the install in Keycard Console
Section titled “Step 1 - Start the install in Keycard Console”-
In your zone’s Keycard Console, go to Resources -> Explore Resources.
-
Search for
GitHuband click into the catalog entry. -
The install dialog shows a Redirect URI. Copy it - you’ll paste it into GitHub in Step 2. Leave this Keycard tab open.
Step 2 - Create the OAuth app for GitHub
Section titled “Step 2 - Create the OAuth app for GitHub”Create a GitHub App
Section titled “Create a GitHub App”- Go to GitHub App Settings
- Click New GitHub App
- Fill in:
- GitHub App name: A descriptive name (e.g., “Keycard”)
- Homepage URL: Your application URL (e.g.,
http://localhost:3000) - Callback URL: The redirect URI provided by Keycard
- Under Permissions, select the permissions your app needs (e.g., Repository → Contents: Read-only)
- Click Create GitHub App
Get credentials
Section titled “Get credentials”- On the app page, note the Client ID
- Click Generate a new client secret
- Copy the Client Secret immediately (it’s only shown once)
Step 3 - Finish the install in Keycard Console
Section titled “Step 3 - Finish the install in Keycard Console”-
Switch back to the Keycard install dialog you left open in Step 1.
-
Paste the Client ID and Client Secret from Step 2.
-
Click Add GitHub. The resource is provisioned and your app can start exchanging tokens for it.
Use GitHub from your code
Section titled “Use GitHub from your code”Call GitHub from your application with a Keycard-issued token scoped to this resource.
After installing GitHub, your application exchanges a Keycard-issued access token for a token scoped to this resource. Pass the user’s access token as the subject_token.
from keycardai.oauth import Client, BasicAuth, TokenTypeimport requests
# Exchange the user's Keycard token for a GitHub token.with Client( "https://<zone-id>.keycard.cloud", auth=BasicAuth("<your-client-id>", "<your-client-secret>"),) as client: response = client.exchange_token( subject_token=user_access_token, subject_token_type=TokenType.ACCESS_TOKEN, resource="https://api.github.com", )
# Call GitHub directly with the exchanged token.r = requests.get( "https://api.github.com/<endpoint>", headers={"Authorization": f"Bearer {response.access_token}"},)import { TokenExchangeClient } from "@keycardai/oauth/tokenExchange";
const client = new TokenExchangeClient("https://<zone-id>.keycard.cloud", { clientId: "<your-client-id>", clientSecret: "<your-client-secret>",});
const response = await client.exchangeToken({ subjectToken: userAccessToken, resource: "https://api.github.com",});
// Call GitHub directly with the exchanged token.const res = await fetch("https://api.github.com/<endpoint>", { headers: { Authorization: `Bearer ${response.accessToken}` },});See the OAuth SDK → Token Exchange reference for the full client API.
Troubleshooting
Section titled “Troubleshooting”Common errors when wiring GitHub into your zone.
Error 401: Bad credentials
The access token is invalid or expired. Try re-connecting the provider in Keycard Console. If the issue persists, verify the client credentials in Keycard Console match the ones in GitHub Developer Settings.
Error: redirect_uri mismatch
GitHub requires the callback URL to match exactly. Copy the redirect URI from Keycard Console and paste it as the Authorization callback URL in GitHub.
Next steps
Section titled “Next steps”What to do once GitHub is installed.
Now do this
- Call GitHub from your code - see the
Use GitHub from your codesection above for Python and TypeScript samples.
Recommended
- Decide who can use it - write access policies scoped to the GitHub resource so only the right users and apps reach the API.
- Watch the calls - every token exchange and downstream call lands in your audit log with user identity, resource, and policy decision.
Optional
- Add MCP access too - install the GitHub MCP server for AI agents that need GitHub’s tools, not just the REST API.