Developer quickstart · hosted
The connector is the product. Install that, not a token.
The common mistake: installing the GitHub App and stopping. The App grants the ceiling; the MCP connector is what your agent actually talks to. One OAuth flow binds them — do it in this order and there's exactly one flow.
Add the remote MCP connector in your client
In Claude (web or desktop): Settings → Connectors → Add custom connector. No client ID or secret needed — the server does OAuth 2.1 dynamic client registration with PKCE.
https://gitauth.klappy.dev/mcpConnect — the GitHub binding happens inside this flow
Clicking Connect runs the whole chain: GitHub login → the server checks which installations of the App you control → zero installations sends you to install it on the repos you pick; one binds automatically; several gives you a picker. The grant is bound to that installation ID — every future mint is fenced to it by GitHub itself.
Let the agent mint — read-only by default
Your agent calls one tool, github_token. No arguments mints contents: read; writes are requested explicitly per task — e.g. contents + pull_requests write — optionally down-scoped to named repos. Tokens live ≤1 hour; expiry is the rotation. Use as a git-over-HTTPS password (x-access-token) or REST Bearer token.
Provenance and the kill switch
Commits and PRs land under the App's [bot] identity — auditable by design. Want PRs authored as you? Have the agent push the branch and hand you GitHub's /pull/new/<branch> link. Uninstalling the App ends minting for your account instantly; outstanding tokens die within the hour.
Started from the GitHub side instead?
If you clicked Install on the GitHub App first, you're halfway there — GitHub knows about us, but your AI doesn't yet. Do the connector step above and you're done. Nothing you did on GitHub is wasted; the connector flow recognizes your installation and skips straight to done.
On the phone: you can't add a custom connector from the iOS app yet — add it once on the web or desktop app, and from then on it works on your phone too.
Team/Enterprise: an org Owner adds the connector via Organization Settings first; members then connect individually with their own GitHub identities. The full security model — what's stored (nothing token-shaped), blast radius, the Workflows-write escalation trade — lives on the under-the-hood page and in the repo README.