GitHub Token Pool

A service that collects and manages GitHub API tokens from contributors to distribute rate limits across a shared pool. Inspired by Shields.io's token pool.

How It Works

Contributors authenticate via GitHub OAuth (read-only public data access)
Tokens are encrypted (AES-256-GCM) and stored in SQLite
Consumer vals import getToken() to get a healthy token rotation
Rate limits are tracked per-token; exhausted tokens are quarantined until reset

Used By

This pool powers GitHub API calls in:

github-zip-api — Fetch GitHub repo contents as zip
claude-plugins-registry — Plugin registry for Claude Code

Setup

1. Create GitHub OAuth App

Go to https://github.com/settings/developers and create a new OAuth App:

Application name: Token Pool (or whatever)
Homepage URL: Your val endpoint
Callback URL: https://<your-endpoint>/callback
Scopes: None needed (public data only)

2. Set Environment Variables

Add these to your val:

GITHUB_CLIENT_ID=your_client_id
GITHUB_CLIENT_SECRET=your_client_secret
TOKEN_ENCRYPTION_KEY=<32 hex chars>

Generate encryption key: openssl rand -hex 32

Consumer Usage

Import directly from the pool library — no HTTP API needed (SQLite is shared across your vals and you must set TOKEN_ENCRYPTION_KEY env in the Val):

import {
  getToken,
  syncTokenHealth,
} from "https://esm.town/v/kamalnrf/token-pool/lib/pool.ts";

// Get a healthy token (LRU selection)
const t = await getToken();

if (t) {
  const res = await fetch("https://api.github.com/repos/owner/repo", {
    headers: {
      Authorization: `Bearer ${t.token}`,
      "User-Agent": "my-val",
    },
  });

  // Updates rate limits, or removes token if revoked (401)
  await syncTokenHealth(t.id, res);
}

API Reference

`getToken(): Promise<TokenWithSecret | null>`

Returns the least-recently-used healthy token, or null if pool is empty/exhausted.

interface TokenWithSecret {
  id: number;
  github_user_id: string;
  github_username: string | null;
  token: string; // Decrypted, ready to use
  rate_limit_remaining: number;
  rate_limit_reset_at: number | null;
  // ...
}

`syncTokenHealth(tokenId: number, response: Response): Promise<void>`

Call after every GitHub API request. Handles:

401: Removes revoked/invalid token from pool
Other: Updates rate limit tracking from response headers

`reportUsage(tokenId: number, rateLimit: RateLimitInfo): Promise<void>`

Lower-level function to update token health. Prefer handleResponse for most cases.

`parseRateLimitHeaders(headers: Headers): RateLimitInfo`

Helper to extract rate limit info from GitHub response headers.

Endpoints

Path	Description
`/`	Landing page with pool stats
`/auth`	Start GitHub OAuth flow
`/callback`	OAuth callback handler
`/status`	JSON pool statistics