PAT Fallback
The Wololo GitHub App (Pattern B) is the recommended way to give agents GitHub access — it handles auth automatically, scopes permissions correctly, and doesn't expire. But if you can't install the GitHub App (org policies, enterprise restrictions, evaluation without org access), a Personal Access Token (PAT) works as a fallback.
When to use PAT fallback
- GitHub org doesn't allow third-party app installations without admin approval
- You're evaluating on a personal repo before org rollout
- The GitHub App installation failed and you need agents unblocked immediately
- You need access to a specific repo the App doesn't cover
Creating the PAT
Use a fine-grained PAT (not a classic token). Required permissions:
- Contents — read and write (clone, push, read files)
- Pull requests — read and write (open PRs, comment)
- Issues — read and write (create, comment, close issues)
- Actions — read (check CI status)
- Metadata — read (required by GitHub for all fine-grained tokens)
Scope the token to the specific repositories your agents need access to. Don't use "All repositories" unless necessary — least-privilege applies here. Set expiration to 90 days maximum and rotate on schedule.
Configuring the PAT
Add the PAT as a secret named GITHUB_TOKEN in the Secrets step of the onboarding wizard, or via Mission Control's secrets management after provisioning. Agents pick it up automatically — the GitHub integration layer checks for GITHUB_TOKEN in the environment before falling back to the installed App credentials.
GITHUB_TOKEN=github_pat_...The token is stored encrypted in Supabase Vault and injected into agent sessions at start time. It never appears in logs, Discord, or any agent output.
Limitations vs GitHub App
| Feature | GitHub App | PAT Fallback |
|---|---|---|
| Expiry | Never | Max 1 year (rotate manually) |
| Auth scope | Installation-scoped | User-scoped |
| Webhook events | Yes | No |
| Org-level permissions | Yes | Limited |
| Audit trail attribution | App identity | Your user identity |
| Rate limits | Higher (5000 req/hr per install) | Standard (5000 req/hr per user) |
Migrating from PAT to GitHub App
When you're ready to switch to the GitHub App, install it via theGitHub App Setup guide. Once installed, remove the GITHUB_TOKEN secret from Mission Control — the App credentials take precedence. Verify by checking that agents are attributing commits and PRs to the App identity rather than your personal account.
See also
- GitHub App Setup — the recommended authentication path
- Security Model — how secrets are stored and injected