GitHub App installation "act on your behalf" warning

[nehzata]

Hi,

I have an app configured with read-only access to user's email address, read-only metadata access & read-only repository content access.

When users try to install the app though they are warned that my app will "Act on your behalf", which is leading to a very negative user experience. Is there anything I can do? Is it something I've done wrong? Can I reconfigure the app in any way to remove this warning?

The number one question I'm currently getting is "Why does your app need to act on my behalf?"

Thanks in advance!
Ali,

[Ehesp]

Relevant issue which seems to be top on Google searches: cirruslabs/cirrus-ci-docs#751

[nehzata]

@Ehesp Yeh, this thread also comes up, which seems to suggest that warning is there even in the case of 0 permission apps. I plan to test it today to see.

[Ehesp]

That is correct - we have an app with zero permissions (with the mindset of adding more in the future) and also have this issue.

[fanhaixing999]

is it dangerous my github？
github dont like thoseactivitys

[johnnyreilly]

Would be very interested in seeing a resolution to this - the prompt below is too scary to agree to

[gramwilliam336-cmd]

The warning means the GitHub App can take actions as you. Review permissions carefully before installing.

[Buggem]

@gramwilliam336-cmd have you even read half of this thread you moron

[mryellow]

Review permissions carefully before installing.

That's the problem. You can't.

It says "Act on your behalf", reviewing this information is reviewing the permissions. You see "Oh they have write access. I won't install this app then."

The dialog doesn't actually state what permissions are requested, while the "Learn more" button does not lead to anything showing any details.

[ossanna16]

Hi there @nehzata and welcome to our community! Thank you for asking a great question 🙂

[nehzata]

Hi @ossanna16 Thank you! Would you be able to advise what the best course of action here would be?

[ossanna16]

@timrogers Are you able to help @nehzata out here?

[qpwo]

Any way to sign-in with github app without the "act on your behalf" in 2025? @ossanna16 @timrogers @hpsin

[pboling]

The answer is no, not in 2025, and not until GitHub gets better product leadership.

[mryellow]

Nice welcome. Very community manager like. Now 3 years later, have someone respond to the issue.

[nehzata]

@martinwoodward Sorry for pinging like this. Could you please assist?

[mryellow]

@martinwoodward Is that a "no"?

[hpsin]

Hey all,
Definitely understand that this isn't the most understandable UI phrasing. We're looking at better ways of phrasing this or removing it entirely since all it means is that the app gets to interact with these permissions in your name.

Would updating the permissions individually to explain the permission make more sense? E.g. "Open and close issues in your name" or "Open and close issues using your identity"? Neither is immediately clear that everyone else will see you closing those issues.

[spydon]

@hpsin I guess this hasn't been prioritised in 2023 either?

[jsoref]

@hpsin:

1. If it only gets access to specific resources, then it should say "See a subset of the resources you can access -- which you can adjust (learn more)"

2. If it has no permissions to act on a user's behalf then the line-item should disappear.

3. I'm not quite sure why there's a section called "Resources on your account" -- I wouldn't call email addresses "Resources"

4. If it has permissions where a normal observer would see the app acting on a user's behalf then the item should be of the form:

   Perform the following actions on your behalf:

[scpedicini]

Hey all, Definitely understand that this isn't the most understandable UI phrasing. We're looking at better ways of phrasing this or removing it entirely since all it means is that the app gets to interact with these permissions in your name.

Would updating the permissions individually to explain the permission make more sense? E.g. "Open and close issues in your name" or "Open and close issues using your identity"? Neither is immediately clear that everyone else will see you closing those issues.

@hpsin

This is a pretty bad UI/UX experience. Literally could be made infinitely better if it said Act On your Behalf ([LIST OF ALLOWED ACTIONS]).

[mryellow]

We're looking at better ways of phrasing this or removing it entirely since all it means is that the app gets to interact with these permissions in your name.

How is the progress on removing this entirely now 3 years later?

[pboling]

@hpsin

this isn't the most understandable UI phrasing

That's reductive. The issue isn't understanding the phrasing. The issue is that:

1. the phrasing is misleading in a way that would lead a reasonable adult to make invalid assumptions.
2. this reduces conversion on apps that use the flow by ~50% (please read the discussion for examples!)
3. this reduction in conversion forces companies to warn their users to disregard the security notice.
4. GitHub failing to fix this is grossly negligent, and probably legally jeopardizing.
   A. Reference: Tesla recently got handed a bill for $329 million in compensatory and punitive damages for misleading documentation, and misleading their users about safety.

[nehzata]

@hpsin thanks for responding to this!

Yes that would be great but I worry that it's going to take a long time to implement.

Can I also suggest for now changing the warning to read "May be able to act on your behalf" and updating the docs behind the "Learn more" link? The wording in the linked docs further reinforces the the wrong impression.

[akostadinov]

Not really helpful this. I want to know what app can do exactly. This "maybe" could be even more alarming.

[mryellow]

"May not act in your behalf in any way but we use those words because....."

[JonRowe]

As a maintainer I had to think long and hard about allowing this dialouge, check the source of the app to see if it was legit and vet the background of the author a bit as it doesn't say what it can do on my behalf, this message should definietly explain the scope of what the app can do, and allow us to limit that scope.

[jfullstackdev]

as for me, it's just a generic message from GitHub, what you can do is to put the complete information about your app in README and any other possible site for the users

[coryvirok]

I get this with an app that has 0 permissions requested. I would expect that for an app with 0 permissions requested, only the first of the following 3 messages would appear in the authorize UI.

• Verify your GitHub identity (coryvirok)
• Know which resources you can access
• Act on your behalf

Verify your GitHub identity (coryvirok)

✅ This makes sense me as a developer as well as a consumer of an app that is requesting 0 permissions. The very fact that I'm adding the app to my GitHub account in order to provide SSO to my site would mean that my site is going to be able to verify my identity on GitHub.

Know which resources you can access

❌ This doesn't make sense to show for a GitHub app since the user is going to be able to select which resources the app has access to. Meaning, the app will only be able to know which resources belong to the user if the user selects them.

As a user of the app, this makes me wonder if the app is able to see resources outside of the ones I've selected.

Act on your behalf

❌ This doesn't make sense to show unless there is some sort of a write: permission requested by the app.

If at all possible, I'd like to never use a user-to-server token which would mean my app would always interact with GitHub using the installation token. Which means I would never be acting on the user's behalf.

[domfarolino]

Is there any update on this? I have a simple GitHub Application that asks for read-only information to public data just to hit the GitHub API with authentication (to avoid the public rate limit) and users are asking why the app says it can "Act on your behalf."

[p0358]

I want to point out that in my case I had this issue only on GitHub app created on my profile. For my use-case it was fine to create OAuth app on organization rather than GitHub app, and that one doesn't have this "Act on your behalf" thing, apparently

vs

Worth noting that the URL and scopes are the exact same in both cases

[adi3]

Bump on this thread. Any update from the GitHub team? Going by @p0358's comment above, the current messaging encourages devs to build an oauth app instead of GitHub app. Yet all over the docs GitHub has plastered the message asking us to consider moving away from Oauth apps

[crohr]

I can't believe this phrasing is still there. Number one reason why users do not go through that first screen, even though I have zero permissions to act on their behalf.

I suspect that's the reason why many companies use 2 GitHub flows: one for authorising/identifying the user using an OAuth app (which doesn't have this crazy warning), and a second one which goes through a GitHub App when permissions are needed on repositories (because we can take advantage of the better granularity here). But that's not what I would call a good dev UX.

[prevostc]

With only read permissions set on our app, showing this warning is a bug.

[hblanco666]

I can't believe this is still an issue. This is definitely a bug, the interface is showing incorrect and misleading information to the user. This creates lots of problems in the context of a security aware company since all users will report a non-issue

[omarabid]

This is unlikely to get resolved because the messaging is correct. The app can act on your behalf when installed to a repository. This is true whether you have read or write permissions (the app does act on your behalf to read your repo!). The warning is upfront when you authorize the app.

The issue is that you might want to use GitHub App as an auth mechanism before getting the user to commit to installing your app. I can see two choices here:

1. Use an oauth app for auth. You don't need to auth your app to have it installed. However, in this case, the app won't be able to act on your behalf! If you need to have the app act on behalf of the user, then you need another auth to the app.
2. GitHub adds a special auth mechanism that is used for Login and identification purposes.

[Namaskar-1F64F]

Your premise is off. The GitHub app with no permissions, read or write, will still produce this message.

[omarabid]

Still, the app is authorized to act on your behalf on these "no permissions". I think the issue is how they implemented this on their back-end and a change will be difficult which is why I suggested that they add a special mechanism solely for auth.

[othonrm]

They already have it and it’s called OAuth apps…

[mryellow]

"Act" is not passively reading. "Act" is mutation.

[amkozlov]

maybe Copilot can help with this one? ;)

seriously, this is extremely confusing for everyone who does not just blindly click "authorize everything" .

[Buggem]

Hello AI generated advertising for a website on GitHub

[omarabid]

I ended up creating an Oauth app for the initial login. The conversion rate is insane compared to the last one (I have a low volume but so far 100% proceed to account creation vs around 50% with the App one).

Still, this means you have a 3 leg process: 1. Oauth app for login 2. GitHub App Authorization and 3. GitHub App installation. Although the advantage is that once the user has entered your app, you can guide them through the process. It'd be nice if this process is eased and simplified.

[mryellow]

This UX bug is still in place and has had no attention paid to it.

[cie]

Microsoft Dev Tunnels also has this problem.

[skvark]

This is annoying wording and affects the sign-up conversion rate for our code search app. Even though we request only email address read permission, some users get spooked by the "act on your behalf" text.

[pboling]

some users get spooked by the "act on your behalf" text.

They may be the smart ones. The text is scary, because it could be argued that, in a buggy scenario, where your app did get escalated rights, and was able to "act on their behalf" in malicious ways - GitHub might try to claim they are not liable, and that the user agreed to it anyways.

It unacceptably terrible, and we should be more upset than we are.

[skvark]

Yes, those users are smart. But the text is also overly broad and misleading in this case. It makes our app seem like it could do far more than it actually can, which hurts trust and conversions. The intent might be legal coverage on GitHub's part, but it ends up penalizing cautious users and low-permission apps alike.

[pboling]

I think it is more likely just a poorly designed feature. :/ Either way, GitHub doesn't care much about anything but Copilot.

[PRIYAtechky]

No, this message cannot be removed or customized. It’s a standard security warning shown by GitHub during app installation, regardless of whether the app only has read-only permissions. The banner is meant to inform users that the app will interact with their account, even if in a limited, read-only capacity. You can reassure users by documenting clearly that your app only requests read-only access and cannot perform write actions.

[coryvirok]

Seems like this is actually on GitHub's side of the fence and is what they need to make clear: "You can reassure users by documenting clearly that your app only requests read-only access and cannot perform write actions."

[skvark]

Definitely GitHub's responsibility to clear up the wording and make it clear how the app can act on behalf of the user.

[mryellow]

The banner is meant to inform users that the app will interact with their account, even if in a limited, read-only capacity.

That's not what the message says. The message clearly says "ACT". This does not indicate passive reading but mutation of data.

You can reassure users by documenting clearly that your app only requests read-only access and cannot perform write actions.

So we tell users "Ignore any security warnings, they're poorly worded.".

Yeah, great solution.

[pboling]

And "act on your behalf" is legalese that has consequential implications.
It brings to mind things like power-of-attorney, living-will, auto-pen, and "#FreeBritney"...
It's the opposite of soft language.

[Narendra-Rajput003]

The "act on your behalf" warning appears for ALL GitHub Apps during installation, regardless of the permissions they request - even apps with zero permissions show this message. This is a known UI/UX issue that GitHub acknowledges but hasn't resolved yet.

Here's what you need to know:

Why it appears:

* It's a generic warning that shows for every GitHub App installation
* The message appears even for read-only permissions or apps with no permissions at all
* It simply means the app will use your identity when performing any actions within its granted permissions

Current status:

* GitHub staff acknowledged this is confusing UI phrasing back in October 2022
* They mentioned looking into better phrasing or removing it entirely
* As of 2025, this issue remains unresolved despite community feedback

What it actually means:

* For read-only apps: The app can view resources using your identity
* For apps with write permissions: Actions will appear as if you performed them
* It doesn't grant unlimited access - only what's specified in the permission list

Recommendations:

* There's currently no way to remove this warning as an app developer
* Consider adding clear documentation explaining what permissions your app actually needs
* Be transparent with users about the limited scope of your app's access

Unfortunately, this remains a frustrating limitation that affects user trust and conversion rates for GitHub App installations.

[mryellow]

• Consider adding clear documentation explaining what permissions your app actually needs
• Be transparent with users about the limited scope of your app's access

I don't think devs should be doing either of these.

If user's are trained to accept as fact the descriptions shown outside of the place where permissions are actually assigned, they behave in a less secure manner going forward.

I take the message to mean "This app has requested write permissions" and if any website were telling me otherwise my default response would be not to trust that information but instead go looking for answers. Perhaps 30 minutes later finding this thread and discovering the message doesn't actually mean "act" and the whole thing is a UX issue.

[pboling]

Great summary @Narendra-Rajput003 !

@mryellow Agreed. The recommended solution should be to boycott GitHub, and vote with our feet. Teaching users insecure, dangerous behavior is negligent in a similar way to how Tesla was just fined $243 million (or $329 million, depending on how you count it, I guess) for negligence in teaching their users (drivers) about the safety of their tools, and using misleading language.

This isn't very different, and I expect GitHub's legal team is only OK with this because they are not aware of how this exact thread could be used in court to prove their liability.

[Buggem]

@pboling Completely agreed. Archiving the thread now on the Wayback Machine incase it is deleted.

[Buggem]

We've been bumping it so hard for the past 3 years, to no avail. I highly doubt anything will ever happen.

[anup-jha26]

[pboling]

Did you read the discussion? Those points have been made, but they miss the import of the issue. Here's my most recent summary: https://github.com/orgs/community/discussions/37117#discussioncomment-14171427

[pboling]

I misunderstood your point. I thought you were basically saying "this is normal, nothing to see here":

The wording is part of GitHub’s standard install screen, not something we can change.

☝️ that's what threw me off. In any case, we agree 💯 - this is trash corporate behavior, a terrible security posture, and most harmful to the most vulnerable - who don't show up here to chat. ;)

[coryvirok]

So much useless AI slop comments in recent days.

[skvark]

Yeah, feels like we are chatting with ChatGPT...

[Buggem]

It's fucking pathetic in full honesty.

[Niharika07-B]

[mryellow]

"On the next page you'll be instructed to do something dangerous, ignore any warnings and accept our words that you just blindly click 'Accept'"

It's not your job to describe to your user what their thoughts on the follow pages security warnings should be.

This makes for insecure behaviour.

[Buggem]

Why is this reply showing blank? I can't dislike it either.

[Buggem]

The discussion appears to have been locked. I can't vote anymore.

[pboling]

Same. But we can still comment, and emoji react. :/

[pboling]

Time to archive it in the wayback machine again.