GitHub permissions
Exactly which GitHub OAuth and App permissions FlareCode requests, and what it never asks for.
FlareCode uses GitHub OAuth for sign-in and the FlareCode GitHub App for repository work. This page documents exactly what each one asks for.
OAuth sign-in scope
When you sign in with GitHub, FlareCode currently requests:
| Scope | Why |
|---|---|
read:user | Identify your GitHub account. |
user:email | Attach the right email address to your FlareCode account. |
repo | List and connect reachable repositories, and support older repo flows while the GitHub App is the preferred write path. |
The broad repo OAuth scope is disclosed here because it is what the implementation requests today. Repository writes for connected repos use GitHub App installation tokens whenever the App is installed.
GitHub App permissions
| Permission | Why |
|---|---|
contents: write | Commit changes to a feature branch (flarecode/task-<id>). |
pull_requests: write | Open the Pull Request and add a description. |
metadata: read | Look up the repo's default branch. |
actions: read | Read CI status to decide when the PR is ready. |
The App does not function without these four permissions, and it requests nothing beyond them.
What we never ask for
admin:repo_hook— we don't install webhooks beyond what the App platform provides.delete:repo— we never delete a repo.admin:orgor any org-level scope — we install per repo, not per org.read:org— we don't read your org membership graph.- Personal access tokens — never accepted. Connected-repo work uses short-lived, per-repo GitHub App installation tokens when the App is installed.
Why this matters
Least privilege is a safety property, not a checkbox. With the App permissions above, the worst an agent can do in an installed repo is open a Pull Request on a branch — it cannot push to main, change settings, manage collaborators, or reach another repo you didn't connect. Branch protection enforces the default-branch rule server-side; the agent enforces it client-side too.
Install and revoke
Install is per repo, and you can change or revoke it any time from GitHub → Settings → Applications → Installed GitHub Apps → FlareCode. Full walkthrough in Connect a repo.