GitHub Permissions

Netlify never stores GitHub Access Tokens.

Once you authorize netlify, we fetch an Access Token from GitHub. But we never store this token. Netlify simply passes the token to our Javascript Single Page App, and from then on all communication with the GitHub API happens straight from the browser. After configuring continuous deployment, the token is permanently discarded.

The only access netlify will have is through a deploy key installed in a specific repository.

We would love to ask for fewer permissions than we do when starting a new project. However GitHub only provides very coarse-grained permissions for their API.

When you start a new project with continuous deployment, we need to be able to browse your GitHub repositories, add a deploy key to the repository you pick and install a webhook to the repo.

Restrict Access for Organizations

If you’re still worried about granting access to sensitive repositories, GitHub lets you restrict application access for organizations.

settings-third-party-restrict-confirm.png

Once these restrictions are in place, netlify will no longer have any kind of access to the repositories from this organization unless you explicitly whitelist our API application.

We recommend keeping all your most sensitive projects in an organization and enabling third party restrictions. This will make taking advantage of any of the countless applications that can enhance your GitHub experience easier and more secure.

Read more about restricting third party access in GitHub’s documentation

Troubleshooting repository linking

Sometimes you won’t find a repository or organization you’d like to use with Netlify in the list of available repositories in our UI. This is usually caused by permissions issues with organization-owned repositories. Note that organizational permission is also required for individually-owned forks of private organization-owned repositories.

You can follow these steps to troubleshoot organizational authorization:

  1. Go to the list of Authorized OAuth Apps in your GitHub Settings, and select Netlify from the list.
  2. Under Organization access, find the organization which owns the repository you want to connect. If you don’t see the organization in the list, an organization administrator will need to give you access to the organization, or go to step 4 to set up access manually.
  3. If the organization has a cross mark (❌) next to it, that means that Netlify does not have access. There should be a button on the same line to Grant access (if you are an organization owner) or Request (if you are not). The organization owner receiving the request can follow the steps for approving the app in the GitHub docs.
  4. If you or the organization owner would prefer not to grant organization-level access, our Support team can provide you the necessary information to connect a repository manually. (This includes a deploy key specific to your Netlify site and a webhook to notify us of your new commits).

Notice something is incorrect or outdated?

First off, great eye! We appreciate your discovery and want to ensure it gets addressed immediately. Please let us know here.

Want to get started quick?