Documentation Index
Fetch the complete documentation index at: https://onecli.sh/docs/llms.txt
Use this file to discover all available pages before exploring further.
Overview
OneCLI connects AI agents to GitHub so they can read and write code, open pull requests, manage issues, and trigger workflows. The gateway injects GitHub credentials into API requests automatically.
OneCLI supports two ways to connect GitHub:
| Method | Access scope | Best for |
|---|
| OAuth | All repos the user can access | Personal use, quick setup |
| GitHub App | Only selected repos | Teams, organizations |
Quick example
An agent calling the GitHub API through the gateway, with no token management needed:
# List your repositories
curl -s "https://api.github.com/user/repos?per_page=5&sort=updated" | jq '.[].full_name'
# Create an issue
curl -s -X POST "https://api.github.com/repos/myorg/myrepo/issues" \
-H "Content-Type: application/json" \
-d '{"title": "Bug: login page timeout", "body": "The login page times out after 30s on slow connections."}'
# Open a pull request
curl -s -X POST "https://api.github.com/repos/myorg/myrepo/pulls" \
-H "Content-Type: application/json" \
-d '{"title": "Fix login timeout", "head": "fix/login-timeout", "base": "main"}'
# Trigger a workflow
curl -s -X POST "https://api.github.com/repos/myorg/myrepo/actions/workflows/deploy.yml/dispatches" \
-H "Content-Type: application/json" \
-d '{"ref": "main"}'
Bearer token for API calls, Basic auth for git-over-HTTPS.
OAuth
Connect your personal GitHub account. The agent gets access to all repositories you can see.
Setup
Go to Connections
Open the OneCLI dashboard and navigate to Connections > GitHub.
Authorize
Click Connect GitHub. You’ll be redirected to GitHub to authorize OneCLI. Review the permissions and click Authorize. Permissions
The OAuth connection requests these scopes:
| Scope | Name | Access |
|---|
repo | Repositories | Read & write (code, issues, PRs) |
user | Profile | Read (email, name, avatar) |
gist | Gists | Read & write |
notifications | Notifications | Read |
project | Projects | Read & write |
codespace | Codespaces | Read & write |
workflow | Actions | Read & write (workflow files) |
How it works
- You authorize OneCLI via GitHub’s OAuth flow
- OneCLI receives a long-lived access token and encrypts it
- When an agent sends a request to
api.github.com, the gateway injects the token as a Bearer header
- For git operations over HTTPS (
github.com), the gateway injects Basic auth credentials
Use cases
- Coding agents creating branches, committing code, and opening pull requests
- Agents reviewing PRs and leaving comments
- Triggering GitHub Actions workflows from an agent
- Reading repository contents during code generation
Limitations
- The token has access to all repositories you can see, not just selected ones
- No organizational visibility or approval flow
- Token is long-lived until you revoke the connection
GitHub App
For teams and organizations. A GitHub App gives you repo-level access control and organizational visibility. Org admins can see which repos are connected and approve or revoke access at any time.
Setup
Go to Connections
Open the OneCLI dashboard and navigate to Connections > GitHub App.
Configure credentials (self-hosted only)
If you’re using OneCLI Cloud, skip this step. Platform credentials are pre-configured.For self-hosted deployments, create a GitHub App and enter your App ID, App Slug, and Private Key. Install the app
Click Connect GitHub App. You’ll be redirected to GitHub where you can:
- Select the organization or personal account
- Choose All repositories or Only select repositories
- Review the permissions
Click Install to complete the connection. Permissions
The GitHub App requests only the permissions your agents need:
| Permission | Access | Description |
|---|
| Contents | Read & write | Code, commits, and branches |
| Pull requests | Read & write | Create, review, and merge PRs |
| Issues | Read & write | Create and manage issues |
| Actions | Read & write | View runs and trigger workflows |
| Checks | Read & write | Read CI results, create check runs |
| Commit statuses | Read & write | Read and set status checks |
| Discussions | Read & write | Read and participate in discussions |
| Projects | Read & write | Manage project boards |
| Metadata | Read-only | Repository metadata (always granted) |
How it works
- You install the GitHub App on your organization or account and select which repositories it can access
- OneCLI receives the app’s private key and installation ID
- The gateway signs a short-lived JWT and exchanges it for an installation access token (1hr TTL)
- The token is injected into API requests and automatically refreshed when it expires
Use cases
- Organizations giving agents access to specific repos without exposing the full account
- Teams where admins need visibility into which repos agents can access
- Production deployments where token rotation should be automatic
- Compliance environments where long-lived tokens are not acceptable
Managing access
After connecting, you can change which repositories the app can access:
- Go to Connections > GitHub App in the OneCLI dashboard
- Click Manage on the connection
- You’ll be taken to GitHub’s installation settings where you can add or remove repositories
Comparison
| OAuth | GitHub App |
|---|
| Repo access | All repos the user can see | Only selected repos |
| Token lifetime | Long-lived | 1 hour (auto-refreshed) |
| Org visibility | Not visible to admins | Visible to org admins |
| Org approval | Not required | Required |
| Setup | One-click OAuth | Install app + select repos |
| Best for | Personal, quick start | Teams, production |
Per-action permissions
Once connected, the dashboard shows a permissions panel where you control what agents can do with GitHub. Each action has three modes: Allow (green), Ask (yellow, requires human approval), and Block (red, request is rejected).
Read-only actions:
| Action | Description |
|---|
| List repositories | Browse repos the account can access |
| Read repository | Read code, commits, branches |
| List issues | View issues on a repo |
| List pull requests | View open/closed PRs |
| Action | Description |
|---|
| Create issue | Open new issues |
| Create pull request | Open PRs against a repo |
| Create comment | Comment on issues and PRs |
| Delete / close | Close issues, delete branches |
Controlling access with rules
Both connection methods also work with OneCLI’s rules engine. You can create rules to:
- Block write operations to
api.github.com for read-only agents
- Rate limit API calls to stay within GitHub’s rate limits
- Require manual approval for destructive operations (e.g., deleting branches)
Rules are evaluated before credential injection, so a blocked request never touches your GitHub token.
