Radish alpha
Getting started

Accounts & sign-in

Radish uses GitHub as its identity provider. There is no separate Radish account — your GitHub account is your account here.

Why GitHub?

Radicle identities are cryptographic key pairs, not usernames and passwords. Asking every casual contributor to install tooling and manage a key file is exactly the friction Radish exists to remove.

Delegating sign-in to GitHub gets you logged in with a single click, gives Radish a stable user identifier (your GitHub username), and — if you opt in — lets you carry your Radicle key with you in a private repository on your own GitHub account.

Signing in

  1. Click Sign in in the top-right of any page.
  2. You're sent to GitHub's standard OAuth screen. Approve the requested permissions.
  3. GitHub redirects you back to Radish. The first time you sign in you'll see the onboarding screen, where you choose how to store your Radicle key.
  4. From then on, signing in is one click — your session is restored automatically.

What Radish reads from GitHub

Two scopes are possible, depending on the choice you make at onboarding:

If you choose…GitHub permissionsWhat Radish reads
Store key on this instance Public profile only Your GitHub username, user ID, and SSH public keys. Nothing else.
Store key on GitHub Repository access Your username, SSH public keys, plus read/write to repositories so that it can access your .radish repo. GitHub doesn't allow scoping OAuth tokens to one repo, so this grant is broader than the actual access pattern.

You can change your mind later from your profile page, and Radish will migrate your key without changing your identity.

Sessions and cookies

After OAuth completes, Radish stores your GitHub access token in a single cookie. The cookie is:

  • Encrypted with a server-side key — even if someone reads the cookie, they cannot recover the GitHub token without compromising the server.
  • HttpOnly — JavaScript on the page cannot read it, so a cross-site script can't steal your session.
  • Secure when running over HTTPS.

That cookie is the only credential Radish keeps client-side. Closing your browser and clicking Sign out both clear it.

What gets created behind the scenes

When you sign in for the first time, Radish records a small amount of state in its database:

  • Your GitHub username and ID, used to look you up on subsequent requests.
  • Your Radicle DID (decentralized identifier) once your key has been generated, so you can be linked from issues, comments, and patches.
  • Whether your key is stored on GitHub or on this server.

Your private key is never stored in the Radish database, even briefly. See Keys & identity for the details.

Signing out

Click your avatar in the top-right and choose Sign out. The session cookie is cleared and your GitHub token is forgotten.

To revoke Radish's access to your GitHub account entirely, visit github.com/settings/applications and remove the Radish OAuth app.

Previous ← Introduction Next Keys & identity →