My Apps: Git Credentials

Git Credentials let you deploy My Apps from private GitHub, GitLab, or Gitea repositories without ever sharing your Personal Access Token (PAT) in chat or MCP arguments. You register the PAT once under a friendly name; OSC stores it securely, and you reference it by name thereafter.

Why Use Git Credentials

When you deploy from a private repository, OSC needs your PAT to clone the code. Without git credentials, you would paste the raw token into an MCP tool argument or the web form — where it appears in chat history, MCP audit logs, and browser memory. Git credentials avoid this:

• The PAT is entered in your browser (or via a terminal command you run yourself) and stored encrypted server-side.
• Only the friendly name (e.g. "my-github-token") appears in MCP conversations and deployment records.
• Token rotation replaces the stored value without changing the name — running apps continue to reference the same credential key.

Prerequisites

• An OSC account on any plan
• A Personal Access Token from GitHub, GitLab, or Gitea with at least read access to the target repository

Register a Git Credential

You can register a credential in three ways. All three store the PAT under the same user.gitcred.<name> key.

Option 1: Web Console

1. Go to My Apps in the OSC web console.
2. Click the Git Credentials tab.
3. Click Add credential.
4. Choose Paste a PAT and enter a name and your token, or choose Use GitHub account if you have a connected GitHub account.
5. Click Save credential.

Option 2: MCP Browser Flow (recommended for AI agents)

Ask your AI assistant (via MCP) to start the registration flow:

Register a git credential called "my-github-token" for my private repository.

The start-git-credential-registration tool returns a one-time URL valid for 10 minutes:

1. Open the URL in your browser.
2. Log in with your OSC account if prompted.
3. Paste your PAT in the form and submit.

The PAT travels directly from your browser to OSC — it never passes through MCP, your AI assistant, or any chat log.

Option 3: Headless / CI Environments

Ask the AI assistant for curl instructions:

Give me the curl command to register a git credential called "ci-github-token".

The get-git-credential-setup-instructions tool returns a ready-to-run command:

curl -X PUT "https://deploy.svc.prod.osaas.io/mytenantsecrets/user.gitcred.ci-github-token" \
  -H "x-pat-jwt: Bearer $OSC_PAT_JWT" \
  -H "Content-Type: application/json" \
  -d '{"value":"YOUR_GITHUB_PAT_HERE"}'

Run this command in your own terminal. Replace YOUR_GITHUB_PAT_HERE with your actual PAT and set $OSC_PAT_JWT to your OSC Personal Access Token (from Settings → API). Do not paste the command back into AI chat.

Deploy a My App Using a Git Credential

Via MCP

Pass the credential name in create-my-app:

Create a My App called "myapp" from the private repo https://github.com/myorg/private-repo
using the git credential "my-github-token".

The create-my-app tool accepts a gitCredential parameter. The raw PAT never appears in the tool call.

Via Web Console

When creating a My App from a private repository, the Git Token (Optional) field in the Create App form offers two modes:

• Paste token — type or paste a Personal Access Token directly into the field; it is stored as a Kubernetes secret for that app.
• Use saved credential — select a credential you have already registered under My Apps → Git Credentials. The dropdown is populated from your saved credentials automatically.

Choose Use saved credential to avoid handling the raw token during app creation: the credential reference is stored instead of the token value itself.

Rotate a Credential

When a PAT expires, rotate without downtime:

1. Register a new PAT under the same friendly name (overwrite it via the web console, MCP browser flow, or curl).
2. Trigger a token update via MCP:

Update the git token for my app "myapp" to use the credential "my-github-token".

The update-my-app-github-token tool applies a rolling restart — the app stays at the same URL with no downtime.

Or update via MCP in one step:

Rotate the git credential for "myapp" to use "my-github-token" (already updated in OSC).

List Registered Credentials

List my git credentials.

The list-git-credentials MCP tool returns all friendly names with creation and last-updated timestamps. Credential values (PATs) are never returned.

You can also view credentials on the Git Credentials tab in My Apps.

Deprecated Inline Tokens

The gitToken and gitHubToken parameters on create-my-app and update-my-app-github-token are deprecated. They still work for one release cycle but will be removed in Phase 4. Migrate to gitCredential to keep PATs out of MCP arguments.

Available MCP Tools

Tool	Description
start-git-credential-registration	Start a browser-based PAT registration flow. Returns a one-time URL (valid 10 min).
get-git-credential-setup-instructions	Return a ready-to-run curl command for headless/CI credential registration.
list-git-credentials	List all registered credential names with timestamps. PAT values are never returned.
create-my-app	Pass gitCredential: "name" to deploy from a private repo.
update-my-app-github-token	Pass gitCredential: "name" to rotate a private repo token with rolling restart.

Resources

• My Apps dashboard
• Feature: My Agent Tasks — for deploying apps via AI agent