Back to Docs

Connecting Your Account

GitHub OAuth and permissions

Axiomo uses GitHub OAuth to authenticate users and access repository data. This page explains what permissions we request and how your data is handled.

Why Connect Your Account?

You can analyze public PRs without signing in. Connecting your GitHub account unlocks:

  • Scan history -Your analyzed PRs are saved permanently
  • Private repos -Analyze PRs from your private repositories
  • Higher rate limits -Authenticated requests have higher GitHub API limits
  • Contributor context -Richer trust signals from your organization's history

Permissions Requested

When you sign in with GitHub, we request the following OAuth scopes:

read:user

Allows us to read your basic profile information:

  • Username
  • Display name
  • Avatar URL
  • GitHub user ID

user:email

Allows us to read your email address. We use this to:

  • Identify your account
  • Send important notifications (optional, you control this in settings)

repo

Allows us to read repository contents. We use this to:

  • Fetch PR metadata (title, description, author)
  • Read the diff (changed files)
  • Check CI status and check runs
  • Fetch contributor history for trust signals

Note: We request repo scope to access private repositories. For public repos only, we could use less permissive scopes, but GitHub's OAuth model requires this scope for private repo access.

What We Store

When you connect your account, we store:

  • Profile info -Username, email, name, avatar URL
  • Access token -Your GitHub OAuth token (encrypted at rest)
  • Scan history -The Signals you've generated

We do not store:

  • Your source code - we only read it during analysis
  • Your repository list - we only access repos when you analyze a PR
  • Commit history beyond what's needed for the current PR

How It Works

  1. Click "Sign in with GitHub" -You're redirected to GitHub's authorization page
  2. Review permissions -GitHub shows you exactly what access we're requesting
  3. Authorize -Click "Authorize" to grant access
  4. Redirect back -You're returned to Axiomo, now signed in

Your session lasts 7 days. After that, you'll need to sign in again.

Revoking Access

You can revoke Axiomo's access at any time:

  1. Go to GitHub Settings > Applications
  2. Find "Axiomo" in the list
  3. Click "Revoke"

This immediately invalidates your access token. You can also delete your account from the Settings page, which removes all your stored data.

Security

We take security seriously:

  • HTTPS only -All traffic is encrypted
  • HttpOnly cookies -Session tokens can't be accessed by JavaScript
  • CSRF protection -OAuth state tokens prevent cross-site attacks
  • Token encryption -Access tokens are encrypted at rest
  • No client-side tokens -Your GitHub token never touches the browser

If you have security concerns, please email security@axiomo.app.