Back to blog
Integrationgithubrecipe

Connect the GitHub API to Claude with an MCP server

Expose the GitHub REST API as MCP tools so your AI client can read issues, PRs, and repos. Covers token auth, choosing safe tools, and the connect snippet.

June 11, 2026·7 min read

Connecting GitHub to your AI client turns "what's open on the payments repo?" into a question you can just ask. In this recipe you'll expose the GitHub REST API as an MCP server — reading issues, pull requests, and code search — using a fine-grained personal access token kept safely on the server side.

Key takeaways
  • GitHub's REST API authenticates with a token sent as a bearer header.
  • Use a fine-grained personal access token scoped to only the repos and read permissions you need.
  • Expose read tools (issues, PRs, search); keep create/delete disabled to start.
  • Cast stores the token encrypted and injects it on every call.
  • Your AI client connects to a single URL — the token never leaves the server.

1. Create a fine-grained personal access token

In GitHub, go to Settings → Developer settings → Personal access tokens → Fine-grained tokens. Limit it to the specific repositories you want, and grant read-only permissions (for example, read access to Issues, Pull requests, and Contents). Copy the token — it starts with github_pat_.

🔐

Fine-grained tokens let you scope access to individual repos. Prefer them over classic tokens, and grant the minimum read permissions the tools need.

2. Create a workspace and upload GitHub's spec

GitHub publishes its full REST API as an OpenAPI description. Create a workspace, open the Upload tab, and provide the spec by URL or file. Because the spec is large, tool generation may take a moment.

Workspace navigationactual UI
overview
upload
configure
connect
analytics
logs

3. Configure auth — Bearer Token

GitHub expects Authorization: Bearer github_pat_…. On the Configure tab, choose Bearer Token, set the API base URL to https://api.github.com, and paste your token.

Workspace navigationactual UI
overview
upload
configure
connect
analytics
logs
Configure → Authactual UI

API Base URL

https://api.github.com
🔑

Bearer Token

Authorization: Bearer <token>

#

API Key Header

X-Api-Key: <key>

Custom Headers

Any header name + value

🌐

OAuth 2.0

PKCE · DCR support

Bearer Token

eyJhbGciOi…

Stored encrypted — never visible after saving.

Save auth configuration

4. Enable the read tools you want

GitHub's API has hundreds of operations. Don't expose them all — pick the handful that match your use case and leave write operations off:

Configure → Toolsactual UI
GET

listIssues

/repos/{owner}/{repo}/issues

GET

getIssue

/repos/{owner}/{repo}/issues/{n}

GET

listPulls

/repos/{owner}/{repo}/pulls

GET

searchCode

/search/code

POST

createIssue

/repos/{owner}/{repo}/issues

DELETE

deleteRepo

/repos/{owner}/{repo}

Save changes
🎯

A focused toolset makes the model far more accurate. Listing issues, listing pull requests, and code search cover most day-to-day questions.

5. Get your MCP URL

Open the Connect tab and copy the snippet. Cast injects your GitHub token on every upstream call, so your client only needs the URL.

Connect → Your MCP URLactual UI
Claude Desktop
Cursor
Windsurf
Cline
claude_desktop_config.json Copy
{
  "mcpServers": {
    "github": {
      "command": "npx",
      "args": [
        "-y",
        "mcp-remote@latest",
        "https://mcp.getcast.io/github-cmpgh77231"
      ]
    }
  }
}
Server active · 0 errors

Try it

prompt
"List the 10 most recently updated open issues on acme/payments."
"Summarize the open pull requests on acme/web and who they're assigned to."
"Search our org's code for usages of the deprecated 'legacyCharge' function."

6. Watch sessions, then grow the toolset

Once your team connects, Cast tracks each connection as a session — transport, geography, duration, and how many tools it called — so you can see real usage instead of guessing:

Analytics → Sessionsactual UI
🇺🇸

United States

4m 06s · 19 tool calls

sselive
🇩🇪

Germany

1m 22s · 8 tool calls

sseended
🇮🇳

India

41s · 5 tool calls

httpended

Cast also mines the sequences of tools agents call across sessions. Strong patterns show what your team relies on; gaps show where they keep reaching for a capability you haven't enabled:

Analytics → Patternsactual UI
listPullsgetIssue

"what's blocking the open PRs on acme/web?"

seen in 33 sessions
getIssuelistComments?

"summarize the discussion on issue #482"

seen in 24 sessions

The pattern view makes the next move obvious: agents keep trying to read issue comments after opening an issue, but listComments isn't enabled. Toggle it on in Configure, and you've grown the server in response to actual demand. This is the loop — launch a focused toolset, watch the sessions, add what people reach for.

Production checklist

  • Scope the token to specific repos and read-only permissions.
  • Keep createIssue, deleteRepo, and other writes disabled until needed.
  • Be mindful of GitHub's rate limits — enable Cast's rate limiting for busy agents.
  • Check the Logs and Patterns tabs to confirm what's called and what to add next.

Connect GitHub — and any other API — to your AI

Upload an OpenAPI spec, configure auth, and get a live MCP endpoint in minutes — no infrastructure to manage.

Try Cast free

Frequently asked questions

Classic token or fine-grained token?

Prefer a fine-grained personal access token. It lets you limit access to specific repositories and grant only read permissions, which is much safer for AI access.

Can the AI open or close issues?

Only if you enable the write tools and grant the matching token permissions. Start read-only and add writes deliberately.

Will I hit GitHub rate limits?

Possibly, with a busy agent. Expose a focused toolset and turn on Cast's rate limiting to stay within GitHub's limits.

Does this work for GitHub Enterprise?

Yes — set the API base URL to your Enterprise API host instead of api.github.com and use a token from that instance.

Keep reading

Turn the Stripe API into MCP tools for Claude

A step-by-step recipe to expose Stripe's REST API as a secure MCP server — read-only by default — so you can pull customers, invoices, and balances straight from your AI client.