Can I get the Github access token?

My situation is very similar to the one presented here Accessing GitHub API.

This is a years old topic so I wanted to validate if the response is still the same.
If it is there is one thing that I don’t understand, why when I create the social connection to github I can selected github scopes? If I will never be able to use them.

I also reached this topic The Github Social Connection is passing access token as part of a query param where it seems the access token is being used to reach Github API in some scenario.

So, can I get the access token from Github somehow after I successfully obtained an auth0 token? so I can access the Github API.

Hi @ggiussi,

Welcome to the Community!

The IDP (github) access tokens are available via the management API. This operation is covered here:

If you have a similar use-case as the thread you linked, specifically the part about wanting to do this all from a react (or similar client side) application, then the thread is still relevant. The issue here is that SPAs have very limited access to the management API, due to their public nature. If you have a backend or API you can proxy the request through there, making this possible via the doc I just linked.

Hope this helps to clarify!

1 Like

Hello Dan, thanks for your help.
Does this proxy server need to be in the same domain as the SPA? Or can I have the following scenario?

  1. User opens the SPA ( and gets an access token against my configured SPA app in Auth0 (e.g., using Github credentials. (described here)
  2. SPA makes a requests to my API ( using the access token from step (1)
  3. The proxy server validates the user access token from step (1) and extracts the user_id
  4. The proxy server gets a Management API JWT token with scopes (user_idp_tokens) using Machine to Machine credentials (described here)
  5. The proxy server calls /api/v2/user/{user-id} (described here) to get the Github token corresponding to the user.
  6. The proxy server uses the token from step (5) to create a repo in Github in users behalf.

I think steps 4,5 and 6 are ok. My main concern is if I can send the access token to the proxy server if is in a different domain from the SPA (e.g. and, these are steps 2 and 3.

1 Like

Yes you described this correctly. Should work fine.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.