QuickIssue Help

Guides for setup, GitHub integration, and daily usage.

GitHub Token Security Guide

This guide explains the security considerations for GitHub Personal Access Tokens (PATs) used with QuickIssue.

Understanding the repo Scope

QuickIssue requires the repo scope to create issues on your behalf. Here's what you should know about this permission:

What repo access includes

  • Full read and write access to all your public and private repositories
  • Access to code, commit statuses, repository invitations, and collaborators
  • Ability to create, edit, and delete issues, pull requests, and comments
  • Access to repository webhooks and deploy keys

⚠️ Important: While QuickIssue only uses this permission to create issues, the token itself has broader capabilities. Be mindful of where you store and use it.

Alternative: public_repo scope

If you only need to create issues in public repositories, you can select the more limited public_repo scope instead of repo. This restricts the token's access to public repositories only, providing better security if you don't need private repository access.

Token Expiration Best Practices

GitHub allows you to set an expiration period when creating a token. Here are our recommendations:

Expiration Period Recommendation
7 days Most secure, but requires frequent renewal
30–90 days ✅ Recommended balance of security and convenience
1 year Convenient but higher risk if compromised
No expiration ⚠️ Not recommended for security reasons

💡 When your token expires: QuickIssue will prompt you to re-authenticate. Simply create a new token following the same steps and enter it in the app.

Security Best Practices

Your GitHub token is as sensitive as your password. Follow these guidelines to keep it secure:

Do's

  • ✅ Set a reasonable expiration period (30–90 days)
  • ✅ Use the minimum scope required (public_repo if possible)
  • ✅ Regularly review your tokens at GitHub Token Settings
  • ✅ Revoke tokens you no longer use

Don'ts

  • ❌ Never commit your token to a repository
  • ❌ Never share your token with others
  • ❌ Never post your token in public forums or chat
  • ❌ Never store your token in plain text files

⚠️ If your token is exposed: If you accidentally commit your token to a public repository or share it, immediately go to GitHub Token Settings, delete the compromised token, and generate a new one.

Fine-grained Personal Access Tokens

For advanced users who want more granular control, GitHub offers Fine-grained Personal Access Tokens. These provide:

  • Repository-specific access: Limit the token to specific repositories only
  • Granular permissions: Select exactly which permissions to grant (e.g., Issues read/write only)
  • Organization policies: Better compliance with organization security policies

To create a Fine-grained token:

  1. Go to GitHub Fine-grained Token Settings
  2. Click "Generate new token"
  3. Select the specific repositories you want to grant access to
  4. Under "Repository permissions", enable "Issues" with "Read and write" access
  5. Generate and copy the token

📖 For detailed instructions, see the GitHub documentation on Fine-grained tokens.

← Back to Setup Guide