Environment:OpenHands OpenHands Integration Credentials

Overview

OAuth credentials and webhook secrets for GitHub, GitLab, Bitbucket, Slack, Jira, and Linear integrations.

Description

The OpenHands enterprise platform integrates with multiple external services for code hosting, project management, and team communication. Each integration requires OAuth application credentials (client ID and secret) for user authentication, and webhook secrets for verifying incoming event payloads. Integrations can be individually enabled or disabled via feature flags. The system also requires reCAPTCHA Enterprise credentials for bot protection during authentication flows.

Usage

Use this environment when deploying the OpenHands SaaS server with any of the supported external integrations. The GitHub integration is the primary integration used by the GitHub Webhook Event Processing workflow. Each integration can be independently enabled via its respective feature flag environment variable.

System Requirements

Dependencies

Python Packages

• `pygithub` >= 2.5 (GitHub API client)
• `slack-sdk` >= 3.35.0 (Slack API client)
• `python-keycloak` >= 5.3.1 (Keycloak identity client)
• `gspread` >= 6.1.4 (Google Sheets for user allowlists)
• `google-cloud-recaptcha-enterprise` >= 1.24.0 (bot protection)

Credentials

GitHub App:

• `GITHUB_APP_CLIENT_ID`: GitHub OAuth App client ID
• `GITHUB_APP_CLIENT_SECRET`: GitHub OAuth App client secret
• `GITHUB_APP_WEBHOOK_SECRET`: Secret for verifying GitHub webhook signatures
• `GITHUB_APP_PRIVATE_KEY`: GitHub App private key (PEM format; `\n` escaped as `\\n`)
• `GITHUB_WEBHOOKS_ENABLED`: Enable GitHub webhook processing (default: 1/true)

GitLab:

• `GITLAB_APP_CLIENT_ID`: GitLab OAuth App client ID
• `GITLAB_APP_CLIENT_SECRET`: GitLab OAuth App client secret

Bitbucket:

• `BITBUCKET_APP_CLIENT_ID`: Bitbucket OAuth consumer client ID
• `BITBUCKET_APP_CLIENT_SECRET`: Bitbucket OAuth consumer client secret

Slack:

• `SLACK_CLIENT_ID`: Slack App client ID
• `SLACK_CLIENT_SECRET`: Slack App client secret
• `SLACK_SIGNING_SECRET`: Secret for verifying Slack request signatures
• `SLACK_WEBHOOKS_ENABLED`: Enable Slack event processing (default: 0/false)

Jira Cloud:

• `ENABLE_JIRA`: Enable Jira Cloud integration (default: false)
• `JIRA_CLIENT_ID`: Jira OAuth 2.0 client ID
• `JIRA_CLIENT_SECRET`: Jira OAuth 2.0 client secret
• `JIRA_WEBHOOKS_ENABLED`: Enable Jira webhook processing (default: 0/false)

Jira Data Center:

• `ENABLE_JIRA_DC`: Enable Jira DC integration (default: false)
• `JIRA_DC_CLIENT_ID`: Jira DC OAuth client ID
• `JIRA_DC_CLIENT_SECRET`: Jira DC OAuth client secret
• `JIRA_DC_BASE_URL`: Jira DC instance URL
• `JIRA_DC_ENABLE_OAUTH`: Enable OAuth for Jira DC (default: 1/true)
• `JIRA_DC_WEBHOOKS_ENABLED`: Enable Jira DC webhook processing (default: 0/false)

Linear:

• `ENABLE_LINEAR`: Enable Linear integration (default: false)
• `LINEAR_CLIENT_ID`: Linear OAuth client ID
• `LINEAR_CLIENT_SECRET`: Linear OAuth client secret
• `LINEAR_WEBHOOKS_ENABLED`: Enable Linear webhook processing (default: 0/false)

reCAPTCHA Enterprise:

• `RECAPTCHA_PROJECT_ID`: GCP project ID for reCAPTCHA
• `RECAPTCHA_SITE_KEY`: reCAPTCHA site key
• `RECAPTCHA_HMAC_SECRET`: HMAC secret for account ID hashing
• `RECAPTCHA_BLOCK_THRESHOLD`: Score threshold for blocking (default: 0.3)

Access Control:

• `ROLE_CHECK_ENABLED`: Enable role-based access control (default: false)
• `DUPLICATE_EMAIL_CHECK`: Check for duplicate emails (default: true)
• `DISABLE_WAITLIST`: Disable signup waitlist (default: false)
• `ENABLE_ENTERPRISE_SSO`: Enable enterprise SSO

Code Evidence

GitHub App credentials from `enterprise/server/auth/constants.py:3-6`:

GITHUB_APP_CLIENT_ID = os.getenv('GITHUB_APP_CLIENT_ID', '').strip()
GITHUB_APP_CLIENT_SECRET = os.getenv('GITHUB_APP_CLIENT_SECRET', '').strip()
GITHUB_APP_WEBHOOK_SECRET = os.getenv('GITHUB_APP_WEBHOOK_SECRET', '')
GITHUB_APP_PRIVATE_KEY = os.getenv('GITHUB_APP_PRIVATE_KEY', '').replace('\\n', '\n')

Feature flag pattern for integrations from `enterprise/server/auth/constants.py:21-23`:

ENABLE_JIRA = os.environ.get('ENABLE_JIRA', 'false') == 'true'
ENABLE_JIRA_DC = os.environ.get('ENABLE_JIRA_DC', 'false') == 'true'
ENABLE_LINEAR = os.environ.get('ENABLE_LINEAR', 'false') == 'true'

reCAPTCHA configuration from `enterprise/server/auth/constants.py:44-48`:

RECAPTCHA_PROJECT_ID = os.getenv('RECAPTCHA_PROJECT_ID', '').strip()
RECAPTCHA_SITE_KEY = os.getenv('RECAPTCHA_SITE_KEY', '').strip()
RECAPTCHA_HMAC_SECRET = os.getenv('RECAPTCHA_HMAC_SECRET', '').strip()
RECAPTCHA_BLOCK_THRESHOLD = float(os.getenv('RECAPTCHA_BLOCK_THRESHOLD', '0.3'))

Common Errors

Compatibility Notes

• Feature Flags: Each integration has separate enable flags (e.g., `ENABLE_JIRA`) and webhook enable flags (e.g., `JIRA_WEBHOOKS_ENABLED`). Both must be enabled for full functionality.
• GitHub Private Key: The PEM private key must have its newlines escaped as `\\n` when stored in environment variables. The code unescapes them at `constants.py:6`.
• reCAPTCHA Threshold: The default block threshold of 0.3 means scores below 0.3 are blocked. Lower values are more permissive; higher values are more restrictive.
• Suspicious Labels: The system tracks reCAPTCHA Account Defender labels: `SUSPICIOUS_LOGIN_ACTIVITY`, `SUSPICIOUS_ACCOUNT_CREATION`, `RELATED_ACCOUNTS_NUMBER_HIGH`.

Related Pages

• Implementation:OpenHands_OpenHands_GithubManager_Receive_Message
• Implementation:OpenHands_OpenHands_GithubManager_Is_Job_Requested
• Implementation:OpenHands_OpenHands_GithubFactory_Create_View
• Implementation:OpenHands_OpenHands_GithubManager_Add_Reaction
• Implementation:OpenHands_OpenHands_GithubManager_Send_Message
• Implementation:OpenHands_OpenHands_GithubV1CallbackProcessor_Call