How to automate refresh JWT token for GithubApp

[ramyanarsupalli2109]

Select Topic Area

Question

GitHub Feature Area

APIs and Webhooks

Body

Hello,

I have tried using github app, and tried creating merge request by running podman
podman run --rm --volume /home/renovate-runner/renovate-local-tokens/renovate-config.js:/usr/src/app/config.js -e LOG_LEVEL=debug docker.io/renovate/renovate

I have tried creating JWT token , with the requirements such as APPID, Installation token and the github Privatekey
And then using curl I generated a token which can be used on my config.js , such that the merge request got created successfully.
Now how can I use the renoavte inbuilt functionality such that the refresh and exchange of the access token happens by its own, without using any scripts?
I have also seen
https://docs.renovatebot.com/modules/platform/github/

Where third party tools can be directly used to create these access tokens.
Can you point me how can I refresh and exchange these tokens with inbuilt functionality.
Your help is much appreciated.
Thanks,
Ramya

[Aredhel269]

Hi Ramya,

You're on the right track using the GitHub App authentication flow for Renovate. The good news is: Renovate can handle token generation and refreshing automatically, without the need for custom scripts, if you provide the correct credentials and use the GitHub App configuration properly.

Renovate can automatically authenticate as a GitHub App if you provide these three things in your config:

• GITHUB_APP_ID – your GitHub App ID
• GITHUB_PRIVATE_KEY – the private key of your GitHub App, as a string or file
• GITHUB_INSTALLATION_ID – the installation ID of your GitHub App on the target repo/org

These are environment variables or can be passed as CLI arguments.

Here’s how you can run Renovate with the built-in GitHub App integration:

podman run --rm \
  -e LOG_LEVEL=debug \
  -e RENOVATE_CONFIG_FILE=/usr/src/app/config.js \
  -e GITHUB_APP_ID=123456 \
  -e GITHUB_INSTALLATION_ID=7890123 \
  -e GITHUB_PRIVATE_KEY="$(cat /path/to/private-key.pem)" \
  -v /home/renovate-runner/renovate-config.js:/usr/src/app/config.js \
  docker.io/renovate/renovate

• The GITHUB_PRIVATE_KEY needs to be passed either as:

  • A string (inline, escaped), or
  • Mounted as a file and referenced in the config

• Make sure your GitHub App has the proper permissions:

  • Contents: Read & write
  • Pull requests: Read & write
  • Metadata: Read-only

If you pass those three env variables, Renovate will automatically:

• Generate a JWT
• Use it to exchange for an installation token
• Refresh it as needed during the run

So you no longer need to generate the token with curl or add it manually to the config.

You're correct — the official docs mention this setup here:
🔗 [Renovate GitHub App Auth (Platform Docs)](https://docs.renovatebot.com/modules/platform/github/#github-app-authentication)

[ramyanarsupalli2109]

Any response to my comment below ? I tried this out but can’t get a proper result

[ramyanarsupalli2109]

@Aredhel269

can you please answer based on the result of my output

[BoopathirajS]

How to identify the the private key of GitHub App ?
I do not see any option to create a private key while create GitHub App or OAuth App in Github Enterprise.
Can you please suggest ?

[ramyanarsupalli2109]

When I try the way described by you, I face the below error:

DEBUG: Using RE2 regex engine
DEBUG: Parsing configs
DEBUG: Checking for config file in /usr/src/app/config.js
DEBUG: File config
"config": {
"endpoint": "https://api.github.com/",
"platform": "github",
"repositories": [/githubapp-hc"]
}
DEBUG: CLI config
"config": {}
DEBUG: Env config
"config": {"hostRules": []}
DEBUG: Resolved global extends
"config": undefined
DEBUG: Combined config
"config": {
"endpoint": "https://api.github.com/",
"platform": "github",
"repositories": ["*/githubapp-hc"],
"hostRules": []
}
DEBUG: Adding trailing slash to endpoint
DEBUG: Enabling forkProcessing while in non-autodiscover mode
DEBUG: Enabling onboardingNoDeps while in non-autodiscover mode
DEBUG: Found valid git version: 2.49.0
DEBUG: Setting global hostRules
FATAL: Initialization error
"errorMessage": "You must configure a GitHub token"
INFO: Renovate is exiting with a non-zero code due to the following logged errors
"loggerErrors": [
{
"name": "renovate",
"level": 60,
"logContext": "RNCxQ1Buv4uAMjw35civz",
"errorMessage": "You must configure a GitHub token",
"msg": "Initialization error"
}
]
--------------------------------------
My config.js file looks like this

   module.exports = {
endpoint: 'https://api.github.com/',
platform: 'github',
repositories: [
    '*****/githubapp-hc',
],

};

[ffbetatestingapp]

To automate JWT refresh for a GitHub App:

1- Generate a new JWT using your app's private key (valid for 10 mins).

2- Use the JWT to request an installation access token (valid for 1 hour).

3 Repeat when the token expires or on 401 Unauthorized.

This can be scripted in any language (e.g., Python or Node.js) and triggered on demand or with a timer.

[ramyanarsupalli2109]

No, I want to automate this , so I followed the suggestion as mentioned in above comment, without using scripts.

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬