Authentication overview

Zube integrates directly with GitHub, serving as a project management layer atop GitHub Issues and pull requests. Consequently, its primary user authentication mechanism relies on GitHub's OAuth 2.0 implementation. This approach delegates user identity verification and access permissions to GitHub, simplifying the login process and centralizing identity management for users already active on GitHub. For programmatic interactions, such as building custom integrations or automating workflows, Zube provides API tokens. These tokens grant granular access to Zube resources without requiring a full user session and are essential for server-to-server communication or third-party application access Zube API documentation.

The choice of authentication method depends on the context: GitHub OAuth is used for interactive user sessions within the Zube web interface, while API tokens are suitable for headless operations, scripting, and integrations that require persistent, non-interactive access. Both methods contribute to Zube's security posture by adhering to established standards for identity verification and authorization, ensuring that access to project data is controlled and auditable.

Supported authentication methods

Zube supports two distinct authentication methods, each designed for different use cases:

  1. GitHub OAuth 2.0: This is the default and recommended method for human users logging into the Zube web application. When a user attempts to log in, Zube redirects them to GitHub's authorization server. The user authenticates with GitHub, grants Zube permission to access specific GitHub data (such as repositories, issues, and user profiles), and GitHub then issues an authorization code back to Zube. Zube exchanges this code for an access token, which it uses to retrieve user information and manage GitHub resources on the user's behalf. This process ensures that Zube never directly handles or stores GitHub user credentials, enhancing security by leveraging GitHub's robust authentication infrastructure. OAuth 2.0 is an industry-standard protocol for delegated authorization, widely adopted for secure third-party access OAuth 2.0 specification.
  2. API Tokens: For automated tasks, custom scripts, and integrations that operate outside of a user's interactive session, Zube provides API tokens. These tokens are long-lived, alphanumeric strings that grant specific permissions to access Zube’s API endpoints. API tokens act as bearer tokens; anyone possessing a valid token can make requests to the API with the associated permissions. They are typically generated by an administrator or a user within their Zube account settings and should be treated with the same confidentiality as passwords. Each token can be revoked independently, providing a mechanism for controlling access without affecting other users or integrations.

The table below summarizes the key characteristics of each method:

Method When to Use Security Level & Considerations
GitHub OAuth 2.0 Interactive user login to the Zube web interface. High. Leverages GitHub's security, including MFA. Zube doesn't store credentials. Relies on user consent and token expiry.
API Tokens Programmatic access, scripts, backend integrations, automation. Medium to High. Secure if stored properly and permissions are scoped. Vulnerable if exposed. Requires careful management and revocation.

Getting your credentials

The process for obtaining authentication credentials in Zube differs based on the method:

For GitHub OAuth 2.0 (User Login):

To log into Zube using GitHub OAuth, you simply navigate to the Zube login page. You will see an option to "Sign in with GitHub." Clicking this button initiates the OAuth flow:

  1. You are redirected to GitHub's authorization page.
  2. If not already logged in, you will be prompted to enter your GitHub username and password. If you have two-factor authentication (2FA) enabled on your GitHub account, you will also complete that step GitHub 2FA documentation.
  3. GitHub will then ask for your permission to grant Zube access to specific GitHub resources (e.g., your public profile, repositories you own or contribute to). Review these permissions carefully before authorizing.
  4. Upon successful authorization, GitHub redirects you back to Zube, and you are logged in. Zube receives an access token from GitHub, allowing it to interact with GitHub on your behalf without ever seeing your GitHub credentials.

There are no separate credentials to "get" from Zube for this method, as Zube relies entirely on GitHub for identity verification.

For API Tokens (Programmatic Access):

API tokens are generated within your Zube account settings:

  1. Log in to your Zube account using GitHub OAuth.
  2. Navigate to your user settings or organization settings (the exact path may vary but is typically under "Settings" or "Profile").
  3. Look for a section related to "API Tokens" or "Integrations."
  4. You will find an option to "Generate New Token" or "Create API Key."
  5. When generating the token, you may be prompted to provide a label or description for the token (e.g., "Integration with Zapier," "CI/CD Pipeline Access"). This helps in identifying the token's purpose later.
  6. Once generated, the API token will be displayed. It is crucial to copy this token immediately and store it securely, as it will often only be shown once and cannot be retrieved again from Zube for security reasons Zube API tokens guide. If lost, you will need to revoke it and generate a new one.

Authenticated request example

When using a Zube API token for programmatic access, you include the token in the Authorization header of your HTTP requests. The token is typically prefixed with Bearer, following the OAuth 2.0 bearer token scheme.

Here's an example using curl to fetch projects from the Zube API:

curl -X GET \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  "https://api.zube.com/v1/organizations/{organization_id}/projects"

Replace YOUR_API_TOKEN with the actual API token you generated and {organization_id} with the ID of your Zube organization. This structure is common across RESTful APIs that utilize bearer tokens for authentication, ensuring that each request carries the necessary credentials for authorization.

Security best practices

Implementing security best practices is essential when managing authentication for Zube to protect your project data and maintain the integrity of your workflows:

  • Use GitHub's Two-Factor Authentication (2FA): Since Zube relies on GitHub OAuth for user login, enabling 2FA on your GitHub account GitHub 2FA setup guide adds a critical layer of security. This ensures that even if your password is compromised, an attacker cannot access your Zube (or GitHub) account without the second factor.
  • Scope API Token Permissions: Whenever possible, generate API tokens with the minimum necessary permissions required for their intended function. Granting a token full administrative access when it only needs to read issues creates an unnecessary security risk. Zube's API token generation process may offer options to limit scope; utilize these features.
  • Rotate API Tokens Regularly: Periodically revoke old API tokens and generate new ones. This practice minimizes the window of exposure if a token is inadvertently compromised. The frequency of rotation should align with your organization's security policies and risk assessment.
  • Store API Tokens Securely: Never hardcode API tokens directly into your source code or store them in publicly accessible repositories. Use environment variables, secure configuration files, or dedicated secret management services (e.g., AWS Secrets Manager, Google Secret Manager, HashiCorp Vault) to store and retrieve tokens. Access to these storage solutions should also be strictly controlled.
  • Monitor API Token Usage: If Zube provides auditing or logging capabilities for API token usage, regularly review these logs for any suspicious activity. Unusual request patterns or access from unexpected locations could indicate a compromised token.
  • Understand OAuth Permissions: When Zube requests permissions to access your GitHub account during the OAuth flow, carefully review what Zube is asking to access. Only grant permissions that are necessary for Zube to function correctly. Revoke any unnecessary grants from your GitHub authorized OAuth apps settings if you later determine they are not needed.
  • Keep Dependencies Updated: If you are building custom integrations with Zube's API, ensure that any libraries or frameworks you use for making HTTP requests and handling authentication are kept up-to-date. This protects against known vulnerabilities in these components.
  • Revoke Unused Tokens and Integrations: Regularly audit your Zube account for any API tokens or GitHub OAuth app authorizations that are no longer in use. Revoke them immediately to reduce potential attack surfaces.