GitHub repositories and permissions
Vibe Code Web works on GitHub repositories from a managed cloud sandbox. To do that, it relies on the Mistral GitHub App, which clones repositories, pushes branches, and opens pull requests on your behalf.
This page explains how authentication works, what the agent can and cannot do, and how to revoke access.
Authentication model
The Mistral GitHub App authenticates with GitHub in two distinct ways:
| Token | What it's used for | Effective scope |
|---|---|---|
| User access token | Repository read and write work on your behalf (clone, branch, commit, push, open pull request). | Restricted by both your GitHub permissions on the repository and the App's granted scopes. The narrower of the two wins. |
| Installation access token | App-level or bot-level actions, when those actions are live. | Limited to the scopes the App was granted at install time, scoped to the repositories the installation covers. |
Attribution
Code changes (commits, branches, pull requests) are authored via your user access token. The exact attribution shown in GitHub depends on your GitHub and Git configuration:
| Field | Source |
|---|---|
| Commit author | Your GitHub user, based on the user access token and your local Git config when the agent runs the commit. |
| Commit committer | Can differ from the author depending on Git settings (for example, GitHub web edits or merge commits). |
| Pull request author | Your GitHub user. |
Connect GitHub
The first time you create a project in Vibe Code Web, you're prompted to install the Mistral GitHub App and authorize it on your account or organization.
A typical setup:
- Open the GitHub connection flow from Vibe Code Web.
- Choose the GitHub account or organization where the target repository lives.
- Select all repositories or only the repositories the App should access.
- Confirm the installation.
- Authorize the App on your user account so it can act on your behalf.
Repeat this for each organization that should be reachable from Vibe Code Web.
A Vibe Code Web project can include multiple repositories, but they must all belong to the same GitHub owner (user account or organization). To work across different owners, create separate projects.
Organization owners may need to approve the installation before members can use Vibe Code Web on organization repositories.
Repository access
Grant the narrowest repository access that fits your workflow.
| Access choice | Use it when |
|---|---|
| Selected repositories | You want Vibe Code Web to work only on specific repositories. |
| All repositories | You trust the integration across the account or organization and want new repositories to be available automatically. |
Repository access can be changed later from GitHub settings.
What Vibe Code Web can do
Inside a Vibe Code Web session, the agent can:
- Clone an authorized repository into the cloud sandbox.
- Read files in the repository.
- Create branches and edit code.
- Run shell commands, tests, and build steps inside the sandbox.
- Commit and push changes to the repository.
- Open pull requests for you to review.
Vibe Code Web cannot:
- Access your local machine or local filesystem.
- Read or modify repositories you have not authorized.
- Bypass branch protections, required reviews,
CODEOWNERS, or required status checks. - Persist files outside the repository after the sandbox is deleted.
Use GitHub branch protections, CODEOWNERS, required reviews, and required status checks to gate sensitive branches. Vibe Code Web follows the same repository rules as any other contributor.
Manage and revoke access
Review or revoke access from GitHub at any time:
- Repository access: open github.com/settings/installations and update the Mistral GitHub App.
- Account authorization: open github.com/settings/applications and revoke the Mistral entry if you no longer want the account connected.
- Organization access: organization owners can manage the installation from the organization's GitHub App settings.
Revoking access stops new Vibe Code Web sessions from reaching the affected repositories. Branches, commits, and pull requests already pushed remain in GitHub.
Common access issues
| Issue | Check |
|---|---|
| Repository is missing | Confirm the Mistral GitHub App is installed for the account or organization, and that the repository is selected in the installation. |
| Organization repository unreachable | Check whether the organization owner has approved the App installation. Approval may be pending. |
| Repository belongs to a different GitHub owner | A project includes repositories from a single GitHub owner. Create a separate project for the other owner. |
| App installed but repository not listed | The App is installed but the repository was not selected in the installation. Update the App configuration in GitHub to add it. |
| Push or pull request fails | Check branch protection, required reviews, required status checks, and that you have write permission on the repository. |
| Authorized the App but pushes fail | You may have authorized the App without having write permission on the repository. Ask the repository or organization owner to grant write access. |
| Commits show the wrong author | Check the email exposed by your GitHub account settings and your local Git config. |