Background
To securely fetch source code for our LLM agent, we need a dedicated, decoupled AuthServer. This service will act as the central authority for managing GitHub App credentials (.pem) and issuing short-lived, least-privilege tokens to the LLM Server, preventing the exposure of long-term secrets.
Core Requirements
- JWT Generation: Securely sign and generate a JSON Web Token (JWT) using the GitHub App's private key (
.pem).
- IAT Exchange: Exchange the JWT for an Installation Access Token (IAT) via the GitHub REST API.
- Scoped Tokens (Least Privilege): The endpoint must accept target repository names from the LLM server's request and issue an IAT restricted only to those specific repositories (mitigating prompt injection risks).
Tasks
Background
To securely fetch source code for our LLM agent, we need a dedicated, decoupled AuthServer. This service will act as the central authority for managing GitHub App credentials (
.pem) and issuing short-lived, least-privilege tokens to the LLM Server, preventing the exposure of long-term secrets.Core Requirements
.pem).Tasks
POST /api/auth/github/token)..pem, App ID, Installation ID) using environment variables or a Secrets Manager.