Register a GitHub App, note its numeric App ID, and download (or store securely) the private key PEM file
Mint a JWT signed with RS256: set 'iat' to current epoch minus a small skew, 'exp' to current epoch plus at most 10 minutes, and 'iss' to the App ID as a string
POST the JWT as a Bearer token to 'GET /app/installations' to list installations, then identify the target installation ID
POST to '/app/installations/{installation_id}/access_tokens' with the JWT in the Authorization header; optionally include 'repositories' or 'permissions' in the body to scope the token
Use the returned 'token' value (valid for one hour) as a Bearer token for subsequent API calls; cache and reuse it until near expiry
Known gotchas
The private key must remain secret; never embed it in source code or environment variables visible in logs — use a secrets manager or encrypted secret store
JWTs expire after at most 10 minutes; installation tokens expire after 1 hour; build token refresh logic rather than generating new ones for every request
Clock skew between the signing host and GitHub servers can cause 'iat' validation failures; subtract a small buffer (around 60 seconds) from 'iat' to avoid this
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp