Research
Security News
The Growing Risk of Malicious Browser Extensions
Socket researchers uncover how browser extensions in trusted stores are used to hijack sessions, redirect traffic, and manipulate user behavior.
By Kush Pandya - Jun 13, 2025
🚀 Big News: Socket Acquires Coana to Bring Reachability Analysis to Every Appsec Team.Learn more →
universal-github-app-jwt
Advanced tools
universal-github-app-jwt
Calculate GitHub App bearer tokens for Node & modern browsers
What is universal-github-app-jwt?
The universal-github-app-jwt npm package is designed to help developers generate JSON Web Tokens (JWT) for GitHub Apps. This is particularly useful for authenticating GitHub Apps and making API requests on behalf of the app.
What are universal-github-app-jwt's main functionalities?
Generate JWT
This feature allows you to generate a JWT for your GitHub App using the app's ID, private key, and installation ID. The generated token can then be used to authenticate API requests.
const { createAppAuth } = require('universal-github-app-jwt');
const auth = createAppAuth({
appId: process.env.GITHUB_APP_ID,
privateKey: process.env.GITHUB_PRIVATE_KEY,
installationId: process.env.GITHUB_INSTALLATION_ID
});
async function getToken() {
const { token } = await auth({ type: 'app' });
console.log(token);
}
getToken();Other packages similar to universal-github-app-jwt
github-app
The github-app package is another alternative for generating JWTs for GitHub Apps. It provides a straightforward API for creating tokens and can be a simpler choice for developers who do not need the full suite of features provided by Octokit.
universal-github-app-jwt
Calculate GitHub App bearer tokens for Node, Deno, and modern browsers
Usage
| Browsers |
Load universal-github-app-jwt directly from esm.sh
|
|---|---|
| Node |
Install with |
| Deno |
Load |
const { token, appId, expiration } = await githubAppJwt({
id: APP_ID,
privateKey: PRIVATE_KEY,
});
The retrieved token can now be used in Authorization request header, e.g. with @octokit/request:
request("GET /app", {
headers: {
authorization: `bearer ${token}`,
},
});
For a complete implementation of GitHub App authentication strategies, see @octokit/auth-app.js.
githubAppJwt(options)
| name | type | description |
|---|---|---|
options.id
|
number | string
|
Required. The GitHub App's ID or Client ID. For github.com and GHES 3.14+, it is recommended to use the Client ID.
|
options.privateKey
|
string
|
Required. Content of the *.pem file you downloaded from the app’s about page. You can generate a new private key if needed. Make sure to preserve the line breaks. If your private key contains escaped newlines (`\\n`), they will be automatically replaced with actual newlines.
|
options.now
|
number
|
An optional override for the current time in seconds since the UNIX epoch. Defaults to Math.floor(Date.now() / 1000)). This value can be overridden to account for a time skew between the local machine and the authentication server.
|
githubAppJwt(options) resolves with an object with the following keys
| name | type | description |
|---|---|---|
token
|
string
| The JSON Web Token (JWT) to authenticate as the app. |
appId
|
number
|
The GitHub App database ID or Client ID passed in options.id.
|
expiration
|
number
|
Timestamp as UNIX epoch, e.g. 1530922170. A Date object can be created using new Date(authentication.expiration).
|
About Private Key formats
When downloading a private-key.pem file from GitHub, the format is in PKCS#1 format. Unfortunately, the WebCrypto API only supports PKCS#8.
If you use 1Password to store a private key as an SSH key, it will be transformed to the OpenSSH format, which is also not supported by WebCrypto.
You can identify the format based on the the first line
| First Line | Format |
|---|---|
-----BEGIN RSA PRIVATE KEY----- | PKCS#1 |
-----BEGIN PRIVATE KEY----- | PKCS#8 |
-----BEGIN OPENSSH PRIVATE KEY----- | OpenSSH |
Converting PKCS#1 to PKCS#8
-
Using an Online Private Key Converter
Convert quickly using the Web interface at https://private-key-converter.vercel.app
-
Using Node.js
If you use Node.js, you can convert the format before passing it to universal-github-app-jwt:
import crypto from "node:crypto";
import githubAppJwt from "universal-github-app-jwt";
const privateKeyPkcs8 = crypto
.createPrivateKey(process.env.PRIVATE_KEY)
.export({
type: "pkcs8",
format: "pem",
});
const { token, appId, expiration } = await githubAppJwt({
id: process.env.APP_ID,
privateKey: privateKeyPkcs8,
});
-
Using OpenSSL
Convert the format using openssl before passing it to your app.
openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in private-key.pem -out private-key-pkcs8.key
Converting OpenSSH to PKCS#8
cp private-key.pem private-key-pkcs8.key && ssh-keygen -p -m PKCS8 -N "" -f private-key-pkcs8.key
This command forces a format change by asking ssh-keygen to set no password and then output in a different format.
I'm looking for help to create a minimal OpenSSH to PKCS convert library that I can recommend people to use before passing the private key to githubAppJwt. Please create an issue if you'd like to help.
License
FAQs
Calculate GitHub App bearer tokens for Node & modern browsers
The npm package universal-github-app-jwt receives a total of 1,287,769 weekly downloads. As such, universal-github-app-jwt popularity was classified as popular.
We found that universal-github-app-jwt demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 17 Mar 2025
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Research
Security News
2025 Blockchain and Cryptocurrency Threat Report: Malware in the Open Source Supply Chain
An in-depth analysis of credential stealers, crypto drainers, cryptojackers, and clipboard hijackers abusing open source package registries to compromise Web3 development environments.
By Kirill Boychenko - Jun 12, 2025
Security News
pnpm 10.12 Introduces Global Virtual Store and Expanded Version Catalogs
pnpm 10.12.1 introduces a global virtual store for faster installs and new options for managing dependencies with version catalogs.
By Sarah Gooding - Jun 11, 2025