Docs

GitHub connector security model.

z-gateway uses GitHub App installation permissions and runtime token minting so agents authenticate to the gateway, not directly to GitHub.

Security model Policy guide

Why GitHub App installation

GitHub Apps provide repository-scoped installation permissions, auditable installation state, and short-lived installation tokens. That model fits z-gateway because each approved runtime action can be executed server-side without giving agents raw GitHub credentials.

Connector controls

Repo-scoped permissions

The GitHub App can be installed on selected repositories, limiting what the connector can reach.

Runtime installation token minting

z-gateway mints installation access only after policy allows the requested action.

Gateway-first authentication

Agents present z-gateway credentials. They do not authenticate directly to GitHub.

Supported and blocked actions

Action	Status	Notes
read_repo	Supported	Read repository metadata and confirm access.
get_file	Supported	Read a file from a connected repository.
create_issue	Supported	Create issues when policy and GitHub permissions allow it.
create_pr	Supported	Available for governed pull request workflows when enabled for the workspace.
list_pull_requests	Supported	List repository pull requests for review workflows.
delete_repo	Hard-blocked	Destructive repository deletion is not exposed as an allowed agent action.
push_protected_branch	Hard-blocked	Protected branch writes should go through branch and pull request policy, not direct pushes.

Runtime flow

Stage	What happens
Agent request	The AI agent invokes a GitHub tool through the z-gateway MCP server.
Policy check	z-gateway evaluates agent, environment, action, and repository scope.
Token mint	For allowed actions, the server mints a short-lived GitHub installation token.
Execution	The connector performs the approved GitHub action server-side.
Audit log	The decision, action, resource, and redacted request context are stored.