The GitHub Org Tools API is a security layer between your client and the GitHub API. It handles authentication, session persistence, installation lifecycle, and request filtering — so your frontend doesn’t have to.
Endpoint categories
| Category | Base Path | What it does |
|---|---|---|
| Auth | /api/auth/* | OAuth sign-in, session, logout |
| Install | /api/install/* | GitHub App installation flow and webhooks |
| Organizations | /api/organizations/* | Org list, detail, mass invite |
| GraphQL | /api/github/graphql | Typed allowlist proxy to GitHub’s GraphQL API |
| Leaderboard | /api/[org]/leaderboard/* | Repository, team, and contributor leaderboards |
Request flow
Client (Web/Mobile)
│
▼
[ API Route Handlers ] ───► [ Session Store (Supabase) ]
│ │
▼ ▼
[ Auth/Allowlist Logic ] [ Normalized DB ]
│ (users, orgs, memberships)
▼
[ GitHub API (GraphQL/REST) ]Security model at a glance
Session validation
Every protected route checks the session via:
Authorization: Bearer <sessionId>header (mobile apps or API clients)gh_sessionhttpOnly cookie (web browsers)
The session ID is looked up in Supabase auth_sessions, joined with users and organization_memberships + organizations. The GitHub OAuth token is decrypted server-side with AES-256-GCM.
Operation allowlisting
The GraphQL proxy only allows a specific set of 8 named operations. You can’t send arbitrary GraphQL — the operationName must match the allowlist:
ViewerProfileOrganizationSummarySearchUsersOrgRepositoriesRepoScoringDataOrgTeamsDataOrgScoringDataOrganizationRepositories
See GraphQL API for details.
CSRF protection
OAuth and installation flows use signed HS256 state JWTs and temporary CSRF cookies (gh_auth_csrf, gh_install_csrf). Details in Security Model.
Webhook verification
GitHub App webhook payloads are verified with HMAC-SHA256 using GITHUB_WEBHOOK_SECRET. See Webhook API.
Request lifecycle
- Request comes into an API route
- Auth — route validates session via
getRequestSession() - Logic — for REST routes, executes business logic (e.g., mass invite). For GraphQL, verifies
operationNameis allowlisted - GitHub call — server uses the decrypted session token to call GitHub
- Response — result is sanitized and returned to client
Error codes
| Status | Meaning |
|---|---|
400 | Missing or invalid parameters |
401 | Session expired or missing |
403 | Operation not allowed or insufficient permissions |
404 | Resource not found |
413 | Request too large (e.g., mass invite over 50 users) |
500 | Unexpected server or GitHub API failure |
Related docs
| Doc | Description |
|---|---|
| Auth Routes | OAuth sign-in, session, logout |
| Install Routes | Installation flow |
| Organization Routes | Organization endpoints |
| Webhook | GitHub App webhook handler |
| Security Model | Cookies, CSRF, encryption |
| Database Schema | All tables and relationships |