You click “Connect GitHub” in Claude, complete the OAuth flow, and Claude either says “no repos found,” shows only 5 public repos (none of your private projects), or fails outright with “could not connect to github.” This is GitHub’s three-tier access control (OAuth scope / SSO / org third-party approval) blocking you.
GitHub is harder than Notion or Google Drive because its enterprise defaults are extremely conservative: org admins must individually approve each third-party app, and under SSO, unapproved tokens are silently filtered with no error returned.
Common causes
Ordered by hit rate, highest first.
1. OAuth scope didn’t include private repos
GitHub OAuth defaults to public_repo only (public repos only). For private access you must explicitly check the repo scope — most people click through “Next” and miss it.
How to spot it: github.com/settings/applications → Authorized OAuth Apps → Claude → check Permissions. If “Full control of private repositories” isn’t listed, your scope is insufficient.
2. Org enforces SSO but Claude isn’t approved
Once an enterprise org turns on SAML SSO, third-party apps are by default excluded from SSO scope. Your personal token works, but private repos behind SSO silently return zero — no error.
How to spot it: github.com/settings/applications → Claude → Organization access — if your org shows a “Request” button instead of “Authorized,” that’s it.
3. Org requires admin approval for third-party apps
Some orgs enable “Require approval for all OAuth apps” under Settings → Third-party access. Even after you authorize, Claude sees zero repos in that org.
How to spot it: On GitHub → target org → Settings → Third-party Access → look for Claude in Pending or Denied.
4. Authorized account ≠ account with the code
The most insidious one. You log into Claude with personal@gmail.com, your browser is signed into personal-github, so OAuth goes to personal. But your code lives under work-github.
How to spot it: github.com top-right avatar vs. the “Connected as” label in Claude — same account or not?
5. PAT mode without fine-grained scope
Self-hosted / enterprise sometimes uses a Personal Access Token instead of OAuth. PAT default scopes are often too narrow or too wide. Fine-grained PATs require an explicit Repository access selection.
How to spot it: PAT or OAuth? When connecting in Claude, did it open GitHub OAuth or ask you to paste a token?
6. Rate limit / abuse detection
Repeated rapid retries or large queries can trigger GitHub’s abuse rate limit, returning 403.
How to spot it: Error includes “rate limit exceeded” or “abuse detection.”
Shortest path to fix
Step 1: Revoke and re-OAuth
Visit https://github.com/settings/applications
→ Authorized OAuth Apps → Claude → Revoke
Back to Claude → Settings → Connectors → GitHub → Disconnect → ConnectIn the auth dialog, check carefully:
- ✅
repo(Full control of private repositories) - ✅
read:org(Read org and team membership) - If specific orgs are listed, Grant access to each one you need
Step 2: Handle SSO
Back to github.com/settings/applications → Claude → Organization access:
- Org shows “Authorized” → OK
- Org shows “Request” button → click to send approval to org owner
- Org shows “Denied” → ask org owner to flip it to allow
When you email the org owner, attach the Claude OAuth app URL and the specific repo list you need access to. Vague asks get ignored.
Step 3: Handle Org Third-party approval
If the whole org is in OAuth restriction mode:
You are NOT org owner → email owner:
"Please approve Claude (OAuth app by Anthropic) under
Org Settings → Third-party Access → Pending requests."
You ARE org owner → Settings → Third-party Access
→ OAuth app policy → Approve "Claude."Step 4: Account match check
In Claude, ask:
List every GitHub org I can access via the connector.If the result doesn’t match what you expected, you authorized the wrong account. Disconnect, switch GitHub account in the browser, then Connect.
Step 5: PAT mode specifics
For fine-grained PAT:
Visit https://github.com/settings/personal-access-tokens/new
→ Repository access → All repositories (or selected)
→ Permissions:
- Contents: Read
- Metadata: Read
- Pull requests: Read (if you need PR access)
- Issues: Read (if you need issue access)
→ Generate, copy immediately (shown only once), paste into ClaudeStep 6: Rate-limit cooldown
If you triggered abuse detection: Disconnect → wait 60 minutes (not 5) → Connect, and ease off the initial query volume.
Prevention
- Note in your password manager which GitHub account is connected to Claude — avoid future confusion
- Request third-party access the day you join a new org, not when you finally need it
- Use separate browser profiles for personal vs. work accounts to avoid cross-auth
- Prefer fine-grained PATs over classic PATs; apply least-privilege scope
- For personal vs. work split, use two Claude Workspaces with their own GitHub authorizations
Related
- Claude usage limit
- Claude connector permission denied
- Claude beginner guide
- Claude prompt best practices
- Claude Projects
Tags: #Claude #Debug #Troubleshooting