feat: support GitHub App authentication in HTTP mode

The HTTP command now parses the same GITHUB_APP_* environment variables
as stdio mode. When configured, a new middleware injects an installation
token into the request context, allowing callers to connect without an
Authorization header.

Also strip a trailing slash from the App auth base URL: APIHost returns
"https://api.github.com/", which previously produced a "//app/..." path
that GitHub answered with 404.

Author: pyama86

cmd/github-mcp-server/main.go

@@ -145,6 +145,11 @@ var (
 				}
 			}
 
+			appID, privateKey, installationID, err := parseAppAuthConfig()
+			if err != nil {
+				return err
+			}
+
 			ttl := viper.GetDuration("repo-access-cache-ttl")
 			httpConfig := ghhttp.ServerConfig{
 				Version:              version,
@@ -166,6 +171,9 @@ var (
 				EnabledFeatures:      enabledFeatures,
 				InsidersMode:         viper.GetBool("insiders"),
 				TrustProxyHeaders:    viper.GetBool("trust-proxy-headers"),
+				AppID:                appID,
+				PrivateKey:           privateKey,
+				InstallationID:       installationID,
 			}
 
 			return ghhttp.RunHTTPServer(httpConfig)

pkg/github/appauth/appauth.go

@@ -13,6 +13,7 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+	"strings"
 	"sync"
 	"time"
 )
@@ -67,6 +68,9 @@ func NewTransport(base http.RoundTripper, cfg Config) (*Transport, error) {
 	if cfg.BaseURL == "" {
 		cfg.BaseURL = "https://api.github.com"
 	}
+	// Why: APIHost.BaseRESTURL returns "https://api.github.com/" (with trailing slash).
+	// Concatenating that with "/app/installations/..." yields "//app/..." which GitHub returns 404 for.
+	cfg.BaseURL = strings.TrimRight(cfg.BaseURL, "/")
 	return &Transport{
 		config: cfg,
 		key:    key,

pkg/github/appauth/appauth_test.go

@@ -132,6 +132,18 @@ func TestNewTransport_CustomBaseURL(t *testing.T) {
 	assert.Equal(t, "https://github.example.com/api/v3", tr.config.BaseURL)
 }
 
+func TestNewTransport_TrimsTrailingSlash(t *testing.T) {
+	_, pemBytes := generateTestKey(t)
+	tr, err := NewTransport(nil, Config{
+		AppID:          123,
+		PrivateKey:     pemBytes,
+		InstallationID: 456,
+		BaseURL:        "https://api.github.com/",
+	})
+	require.NoError(t, err)
+	assert.Equal(t, "https://api.github.com", tr.config.BaseURL)
+}
+
 func TestTransport_GenerateJWT(t *testing.T) {
 	key, pemBytes := generateTestKey(t)
 	tr, err := NewTransport(nil, Config{

pkg/http/handler.go

@@ -8,6 +8,7 @@ import (
 
 	ghcontext "github.com/github/github-mcp-server/pkg/context"
 	"github.com/github/github-mcp-server/pkg/github"
+	"github.com/github/github-mcp-server/pkg/github/appauth"
 	"github.com/github/github-mcp-server/pkg/http/middleware"
 	"github.com/github/github-mcp-server/pkg/http/oauth"
 	"github.com/github/github-mcp-server/pkg/inventory"
@@ -36,6 +37,7 @@ type Handler struct {
 	oauthCfg               *oauth.Config
 	scopeFetcher           scopes.FetcherInterface
 	schemaCache            *mcp.SchemaCache
+	appAuthTransport       *appauth.Transport
 }
 
 type HandlerOptions struct {
@@ -44,6 +46,7 @@ type HandlerOptions struct {
 	OAuthConfig            *oauth.Config
 	ScopeFetcher           scopes.FetcherInterface
 	FeatureChecker         inventory.FeatureFlagChecker
+	AppAuthTransport       *appauth.Transport
 }
 
 type HandlerOption func(*HandlerOptions)
@@ -54,6 +57,16 @@ func WithScopeFetcher(f scopes.FetcherInterface) HandlerOption {
 	}
 }
 
+// WithAppAuthTransport configures the handler to authenticate outbound GitHub
+// API calls using a GitHub App installation. When set, an incoming request
+// without an Authorization header is allowed: the middleware injects the
+// installation token derived from this transport into the request context.
+func WithAppAuthTransport(t *appauth.Transport) HandlerOption {
+	return func(o *HandlerOptions) {
+		o.AppAuthTransport = t
+	}
+}
+
 func WithGitHubMCPServerFactory(f GitHubMCPServerFactoryFunc) HandlerOption {
 	return func(o *HandlerOptions) {
 		o.GitHubMcpServerFactory = f
@@ -122,10 +135,14 @@ func NewHTTPMcpHandler(
 		oauthCfg:               opts.OAuthConfig,
 		scopeFetcher:           scopeFetcher,
 		schemaCache:            schemaCache,
+		appAuthTransport:       opts.AppAuthTransport,
 	}
 }
 
 func (h *Handler) RegisterMiddleware(r chi.Router) {
+	if h.appAuthTransport != nil {
+		r.Use(middleware.WithGitHubAppToken(h.appAuthTransport, h.logger))
+	}
 	r.Use(
 		middleware.ExtractUserToken(h.oauthCfg),
 		middleware.WithRequestConfig,

pkg/http/middleware/app_auth.go

@@ -0,0 +1,49 @@
+package middleware
+
+import (
+	"log/slog"
+	"net/http"
+
+	ghcontext "github.com/github/github-mcp-server/pkg/context"
+	"github.com/github/github-mcp-server/pkg/github/appauth"
+	"github.com/github/github-mcp-server/pkg/utils"
+)
+
+// WithGitHubAppToken injects a GitHub App installation token into the request
+// context when the incoming request does not already carry one. This lets the
+// HTTP server authenticate as a GitHub App installation instead of requiring
+// every caller to send an Authorization header.
+//
+// If the request already carries TokenInfo (e.g., an explicit Authorization
+// header parsed earlier), this middleware is a no-op so per-request tokens
+// take precedence.
+//
+// Why: the HTTP server's downstream pipeline (ExtractUserToken,
+// RequestDeps.GetClient) is built around a per-request bearer token. Rather
+// than rewire that pipeline, we synthesize a TokenInfo from the installation
+// token so the existing flow works unchanged.
+func WithGitHubAppToken(transport *appauth.Transport, logger *slog.Logger) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			ctx := r.Context()
+
+			if _, ok := ghcontext.GetTokenInfo(ctx); ok {
+				next.ServeHTTP(w, r)
+				return
+			}
+
+			token, err := transport.Token(ctx)
+			if err != nil {
+				logger.Error("failed to obtain GitHub App installation token", "error", err)
+				http.Error(w, "failed to obtain GitHub App installation token", http.StatusInternalServerError)
+				return
+			}
+
+			ctx = ghcontext.WithTokenInfo(ctx, &ghcontext.TokenInfo{
+				Token:     token,
+				TokenType: utils.TokenTypeServerToServerGitHubAppToken,
+			})
+			next.ServeHTTP(w, r.WithContext(ctx))
+		})
+	}
+}

pkg/http/middleware/app_auth_test.go

@@ -0,0 +1,141 @@
+package middleware
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/json"
+	"encoding/pem"
+	"io"
+	"log/slog"
+	"net/http"
+	"net/http/httptest"
+	"sync/atomic"
+	"testing"
+	"time"
+
+	ghcontext "github.com/github/github-mcp-server/pkg/context"
+	"github.com/github/github-mcp-server/pkg/github/appauth"
+	"github.com/github/github-mcp-server/pkg/utils"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func generateAppKey(t *testing.T) []byte {
+	t.Helper()
+	key, err := rsa.GenerateKey(rand.Reader, 2048)
+	require.NoError(t, err)
+	return pem.EncodeToMemory(&pem.Block{
+		Type:  "RSA PRIVATE KEY",
+		Bytes: x509.MarshalPKCS1PrivateKey(key),
+	})
+}
+
+func newAppTransport(t *testing.T, baseURL string) *appauth.Transport {
+	t.Helper()
+	tr, err := appauth.NewTransport(http.DefaultTransport, appauth.Config{
+		AppID:          12345,
+		PrivateKey:     generateAppKey(t),
+		InstallationID: 67890,
+		BaseURL:        baseURL,
+	})
+	require.NoError(t, err)
+	return tr
+}
+
+func TestWithGitHubAppToken_InjectsToken(t *testing.T) {
+	var hits atomic.Int32
+	ghAPI := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		hits.Add(1)
+		w.WriteHeader(http.StatusCreated)
+		_ = json.NewEncoder(w).Encode(map[string]any{
+			"token":      "ghs_injected_token",
+			"expires_at": time.Now().Add(1 * time.Hour),
+		})
+	}))
+	defer ghAPI.Close()
+
+	tr := newAppTransport(t, ghAPI.URL)
+
+	var captured *ghcontext.TokenInfo
+	next := http.HandlerFunc(func(_ http.ResponseWriter, r *http.Request) {
+		info, _ := ghcontext.GetTokenInfo(r.Context())
+		captured = info
+	})
+
+	logger := slog.New(slog.NewTextHandler(io.Discard, nil))
+	handler := WithGitHubAppToken(tr, logger)(next)
+
+	req := httptest.NewRequest(http.MethodPost, "/mcp", nil)
+	rr := httptest.NewRecorder()
+	handler.ServeHTTP(rr, req)
+
+	assert.Equal(t, http.StatusOK, rr.Code)
+	require.NotNil(t, captured)
+	assert.Equal(t, "ghs_injected_token", captured.Token)
+	assert.Equal(t, utils.TokenTypeServerToServerGitHubAppToken, captured.TokenType)
+	assert.Equal(t, int32(1), hits.Load())
+}
+
+func TestWithGitHubAppToken_PreservesExistingTokenInfo(t *testing.T) {
+	var hits atomic.Int32
+	ghAPI := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		hits.Add(1)
+		w.WriteHeader(http.StatusCreated)
+		_ = json.NewEncoder(w).Encode(map[string]any{
+			"token":      "ghs_should_not_be_used",
+			"expires_at": time.Now().Add(1 * time.Hour),
+		})
+	}))
+	defer ghAPI.Close()
+
+	tr := newAppTransport(t, ghAPI.URL)
+
+	pre := &ghcontext.TokenInfo{
+		Token:     "ghp_explicit",
+		TokenType: utils.TokenTypePersonalAccessToken,
+	}
+
+	var captured *ghcontext.TokenInfo
+	next := http.HandlerFunc(func(_ http.ResponseWriter, r *http.Request) {
+		info, _ := ghcontext.GetTokenInfo(r.Context())
+		captured = info
+	})
+
+	logger := slog.New(slog.NewTextHandler(io.Discard, nil))
+	handler := WithGitHubAppToken(tr, logger)(next)
+
+	req := httptest.NewRequest(http.MethodPost, "/mcp", nil)
+	req = req.WithContext(ghcontext.WithTokenInfo(req.Context(), pre))
+	rr := httptest.NewRecorder()
+	handler.ServeHTTP(rr, req)
+
+	assert.Equal(t, http.StatusOK, rr.Code)
+	require.NotNil(t, captured)
+	assert.Equal(t, "ghp_explicit", captured.Token)
+	assert.Equal(t, int32(0), hits.Load(), "installation token should not have been fetched")
+}
+
+func TestWithGitHubAppToken_PropagatesFetchError(t *testing.T) {
+	ghAPI := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		http.Error(w, "boom", http.StatusInternalServerError)
+	}))
+	defer ghAPI.Close()
+
+	tr := newAppTransport(t, ghAPI.URL)
+
+	nextCalled := false
+	next := http.HandlerFunc(func(_ http.ResponseWriter, _ *http.Request) {
+		nextCalled = true
+	})
+
+	logger := slog.New(slog.NewTextHandler(io.Discard, nil))
+	handler := WithGitHubAppToken(tr, logger)(next)
+
+	req := httptest.NewRequest(http.MethodPost, "/mcp", nil)
+	rr := httptest.NewRecorder()
+	handler.ServeHTTP(rr, req)
+
+	assert.Equal(t, http.StatusInternalServerError, rr.Code)
+	assert.False(t, nextCalled, "next handler must not run when token fetch fails")
+}

pkg/http/server.go

@@ -13,6 +13,7 @@ import (
 
 	ghcontext "github.com/github/github-mcp-server/pkg/context"
 	"github.com/github/github-mcp-server/pkg/github"
+	"github.com/github/github-mcp-server/pkg/github/appauth"
 	"github.com/github/github-mcp-server/pkg/http/middleware"
 	"github.com/github/github-mcp-server/pkg/http/oauth"
 	"github.com/github/github-mcp-server/pkg/inventory"
@@ -94,6 +95,14 @@ type ServerConfig struct {
 
 	// InsidersMode expands to the curated set of feature flags enabled for insiders.
 	InsidersMode bool
+
+	// GitHub App authentication (alternative to per-request bearer tokens).
+	// When AppID, PrivateKey, and InstallationID are all set, the server
+	// authenticates outbound GitHub API calls as a GitHub App installation
+	// instead of requiring an Authorization header on incoming requests.
+	AppID          int64
+	PrivateKey     []byte
+	InstallationID int64
 }
 
 func RunHTTPServer(cfg ServerConfig) error {
@@ -168,6 +177,24 @@ func RunHTTPServer(cfg ServerConfig) error {
 		serverOptions = append(serverOptions, WithScopeFetcher(scopeFetcher))
 	}
 
+	if cfg.AppID != 0 && len(cfg.PrivateKey) > 0 && cfg.InstallationID != 0 {
+		baseURL, err := apiHost.BaseRESTURL(ctx)
+		if err != nil {
+			return fmt.Errorf("failed to get base REST URL for app auth: %w", err)
+		}
+		appTransport, err := appauth.NewTransport(http.DefaultTransport, appauth.Config{
+			AppID:          cfg.AppID,
+			PrivateKey:     cfg.PrivateKey,
+			InstallationID: cfg.InstallationID,
+			BaseURL:        baseURL.String(),
+		})
+		if err != nil {
+			return fmt.Errorf("failed to create GitHub App auth transport: %w", err)
+		}
+		serverOptions = append(serverOptions, WithAppAuthTransport(appTransport))
+		logger.Info("using GitHub App authentication", "appID", cfg.AppID, "installationID", cfg.InstallationID)
+	}
+
 	r := chi.NewRouter()
 	handler := NewHTTPMcpHandler(ctx, &cfg, deps, t, logger, apiHost, append(serverOptions, WithFeatureChecker(featureChecker), WithOAuthConfig(oauthCfg))...)
 	oauthHandler, err := oauth.NewAuthHandler(oauthCfg, apiHost)