Why GitHub API don't allow read access for public and private repos?

[jcubic]

Select Topic Area

Question

Body

What is the reason behind the fact that you need to give permission to write to your repository even if the app only read the data and don't write anything.

I just wanted to use an app, but it requires write access, because pro version require read access to private repositories. But still have write access for no reason.

[soufyen004]

The app asks for write access because the developer chose broader permissions, even if it's only reading data. Sometimes it's for future features, or just easier for the developer but it's not always necessary. If you don’t trust it, don’t give access.

[jcubic]

There is no option to give read only permission. There is only repo and public_repo that give write permission. This has nothing to do with what developers wants.

[atharhive]

GitHub API requires explicit permission scopes to ensure security and user control. Even for reading private repos, it needs repo scope, which includes write access, because GitHub doesn’t provide a separate read-only private repo scope. This limitation exists to simplify permission management but can be problematic for apps that only need read access.

[jcubic]

I know, but I'm asking GitHub developers why there is no read-only access. It doesn't make sense.

[atharhive]

yeahh it doesn't lol

[aswinroshanrajendran]

GitHub’s permission model sometimes requires apps to request write access even if they only read data because:

Read access to private repositories requires broader scopes that are bundled with write permissions for security reasons.

Some API operations that seem “read-only” internally use write scopes (e.g., creating temporary tokens, managing webhooks, or caching data).

GitHub limits fine-grained permissions to simplify security and avoid fragmented access rights.

If an app asks for write access, it’s often because the permissions it needs (especially for private repos) are combined with write scopes in GitHub’s permission system, not because it will necessarily change your data.

[jcubic]

Read access require write permission for security reason? This is silly.

[davidwagner]

Can you be more specific? Why is read bundled with write? What is the security reason? Why can't GitHub expose operations that are semantically read-only with read permission, without requiring write permission, even if the implementation does non-externally-visible side effects as an implementation detail (e.g., caching)? What would be the harm if Github did that?

[saksham1815]

You need to give write permission because GitHub groups read and write access together in the same permission scope. Even if the app only reads data, it must request the combined scope, as GitHub doesn't allow more granular control in some cases.

[jcubic]

I know the limitations of GitHub permission system. I'm asking GitHub developers why this is the case. This is feedback to GitHub team that this is stupid. If any GitHub employees even read those discussions.

[santhoshsharuk]

GitHub’s permission system is sometimes too coarse-grained.

To read private repos, the app must request a scope (repo) that also includes write permissions.

So it looks like “asking for too much,” but in reality it’s because GitHub doesn’t provide a cleaner option.

[syedlabib4]

GitHub API requires authentication for private repositories and certain actions, even if a repository is public. For public repos, you can read most content anonymously, but some endpoints (like user data, repo stats, or private interactions) always need a token for security and rate-limiting reasons. This ensures that GitHub can track usage, prevent abuse, and protect private data

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬