Github app auth for Graphql apis

[utkarsha-ubale-sp]

🏷️ Discussion Type

Question

💬 Feature/Topic Area

API

Body

was using PAT for authentication and below GraphQL query to fetch details of org member. Now, I want to support auth via github apps as well, but this query doesn't provide the expected response. what is the correct query to fetch org members with github app authentication. I am using Ocktokit in ts for generating token

query ReadOrganizationUser($org: String!, $nativeIdentifier: String!, $first: Int = 100) {
		user(login: $nativeIdentifier) {
			databaseId
			login
			name
			id
			email
			twitterUsername
			url
			bio
			bioHTML
			location
			company
			companyHTML
			isBountyHunter
			isHireable
			isEmployee
			isSiteAdmin
			isGitHubStar
			isViewer
			isCampusExpert
			isDeveloperProgramMember
			hasSponsorsListing
			followers {
				totalCount
			}
			following {
				totalCount
			}
			gists {
				totalCount
			}
			repositories{
                totalCount
            }
			estimatedNextSponsorsPayoutInCents
			monthlyEstimatedSponsorsIncomeInCents
			websiteUrl
			createdAt
			updatedAt
            
		}
		organization(login: $org) {
			teams(userLogins: [$nativeIdentifier], first: $first, rootTeamsOnly: false) {
				totalCount
				nodes {
					databaseId
					slug
					name
					id
				}
				pageInfo {
					endCursor
					hasNextPage
				}
			}
		}
	}

and

query($login: String!, $cursor: String) {
        organization(login: $login) {
            url
            login
            repositories(first: 100, after: $cursor) {
                pageInfo {
                    endCursor
                    hasNextPage
                }
                nodes {
                    name
                    collaborators(affiliation: OUTSIDE, first: 100) {
                        edges {
                            permission
                        }
                        nodes {
                            databaseId
							login
							name
							id
							email
							twitterUsername
							url
							bio
							bioHTML
							location
							company
							companyHTML
							isBountyHunter
							isHireable
							isEmployee
							isSiteAdmin
							isGitHubStar
							isViewer
							isCampusExpert
							isDeveloperProgramMember
							hasSponsorsListing
							followers {
								totalCount
							}
							following {
								totalCount
							}
							gists {
								totalCount
							}
							repositories {
								totalCount
							}
							watching {
								totalCount
							}
							estimatedNextSponsorsPayoutInCents
							monthlyEstimatedSponsorsIncomeInCents
							websiteUrl
							createdAt
							updatedAt
                        }
                    }
                }
            }
        }
    }

[Ayouub-aj]

Hi @utkarsha-ubale-sp ,

The issue you're encountering is likely due to the change in authentication context. When using a PAT, the viewer is you, but when using a GitHub App, the viewer is the App's bot account. Since the bot isn't a member of the organization, it cannot "see" members through the same relational paths.

To resolve this, you need to query the Organization directly and ensure your App has the correct Permissions.

1. Update GraphQL Query

Instead of starting with the user or viewer node, query the organization node and use membersWithRole. This is the most reliable way for a GitHub App to fetch a list of members.

query GetOrgMembers($org: String!, $first: Int = 100, $cursor: String) 
{
  organization(login: $org)
 {
    membersWithRole(first: $first, after: $cursor) {
      totalCount
      pageInfo {
        hasNextPage
        endCursor
      }
nodes {
        databaseId
        login
        name
        id
        email
        url
        # Note: Some fields like 'isViewer' or 'isGitHubStar' 
        # may return null for App-based queries as they are 
        # user-centric.
      }
    }
  }
}

2. Verify GitHub App Permissions

A GitHub App doesn't inherit your permissions; it only has what you explicitly grant it. For the query above to work, go to your App settings:

Settings > Developer Settings > GitHub Apps > [Your App]

Permissions & events > Organization permissions

Set Members to Read-only.

Important: If you update permissions, the Organization owner must accept the new permissions on the installation for them to take effect.

3. Implementation with Octokit (@octokit/auth-app)

Since you are using TypeScript and Octokit, ensure you are using the getInstallationOctokit method. A common mistake is using the App-level JWT instead of an Installation Access Token.

import { App } from "octokit";

const app = new App({
  appId: process.env.APP_ID,
  privateKey: process.env.PRIVATE_KEY,
});

// Use the installation ID where the app is installed
const octokit = await app.getInstallationOctokit(INSTALLATION_ID);

const { organization } = await octokit.graphql(QUERY_STRING, {
  org: "your-org-name",
});

I hope this helps get your integration back on track! If you found this helpful, please consider marking it as the Answer so others in the community can find it easily 👍

[utkarsha-ubale-sp]

This query is for list of members, I want to fetch details of a single member. Is there any replacement of the one I pasted in the above message?